timing your sessions is almost mandatory. i always store a time() timestamp and then at the top of every page that requires a login run
$timeout_sql <<<SQL
SELECT timestamp
FROM tbl_session
SQL;
$result = pg_exec($db, $timeout_sql);
for($i=0;$i<pg_numrows($result);$i++)
{
$this_timestamp = pg_fetch_row($result, $i);
if($this_timestamp[0] < ((int)time() + TIMEOUT_IN+_SECONDS))
@pg_exec($db, "delete from tbl_session where timestamp='$this_timestamp') or die;
}
where of course i define TIMEOUT_IN_SECONDS somewhere along the way...
of course this means that the user viewing the page runs the possibility of killing his or her own session... so we deal with that by calling session_destroy() if their session_id ain't in the database.
$amihere_sql <<<SQL2
SELECT *
FROM tbl_session
WHERE session_id = '$session_id'
SQL2;
$result = pg_exec($db, $amihere_sql);
if(pg_num_rows($result) == 0)
session_destroy();
thus, if yer user let's his login time out, the next login-required page he/she hits will check to see if a time out has occurred, remove that session_id from the database. the next step checks to see if the session_id is in the database (it isn't since we already got rid of it). since there's no matching session id, session_destroy() is called. this way, each page purges old sessions and implements a login timeout as well.
as a side note, i just wrote this from memory without testing so you may have to fiddle with it a wee bit.
-frymaster
