session security issue

Anon

I thought I would take another stab at explaining my problem. Using sessions to keep track of authenticated users, if a user leaves my site without explicity logging out then they are not logged out. They could shut their computer down and start it back up and they will still be logged in.

If they go to the log out page and log out, then ok. I session_unregister("valid_user") and they are logged out. I tried session_destroy() too (and that also works) but getting users logged out from the logout page isn't my problem. If they don't go to the logout page, then they are still in, and that's my problem.

This is supposed to be a secure site so it's a big problem for me, given users are not always going to go logout. I think it has to do with the PHPSESSID cookie persistency, but not sure. I tried getting rid of the cookie with setcookie("PHPSESSID") but no luck. My PHPSESSID cookie stays 1a15205610ad2d44dfb59777fa32a7d7 no matter what.

Any thoughts? help?
Thanks!

Anon

The easiest way is:
store a randomly generated text (md5 (uniqid (....) variable, let's say $sid in the session, and make up a table in a database, or a text file, in which you store all the data related to a user (last activity, login time, username etc...). Write a script which fires at the beginning of every script, and tests the user's $sid variable against the data stored in your database. Additionally define a deadtime for a user session (let's say 3600 seconds), and have this script remove those users, who pass the time limit, removed from the database. This might be a little inconvenient for the users, but, 'till now this was the best method for me...

Anon

Thanks for the help, that is exactly the functionality that I am looking for, including the timeout feature. I would like to see if I can get it done without hitting the database each time, but I'll keep this fix in mind.

I have finally managed to get that persistent cookie gone and now it's behaving like it should, with PHPSESSID cookie being destroyed when the browser is closed, and thereby logging the user out. I must have inadvertently set the PHPSESSID cookie with an expiration date, but I finally figured out that setcookie("PHPSESSID","","","/","") would get rid of it.

Anon

Here is what I do to keep from hitting the DB after a user has logged in...

session_start(); // must be done before sending contents
session_register("Time"); // timeout value
session_register("Valid"); // is user valid 0 1
... more variables I wish to include ...

if (($Valid == 1) && ($Time > date(U))) {
$Time = date(U) + 1800; // 30 minutes }
else {
reloggin if login is successful
$Time = date(U) + 1800; // 30 minutes
$Valid = 1; }

This is all on the Server, so there is no way anyone can modify their $Time or $Valid.