Session variable files

Anon

I am working on this authentication system witch uses sessions.

ON my first attempt, I made script, it was working fine. When I was looking at session variable files , PHP/server was doing good job. If session is deregistered - file is deleted, if not, when script executed next time, one(or several) files being deleted and new file created.

After I realized it was working fine. I was trying to tidy up the scripts. I separated script witch starts session and using requite(); called when i needed it.

After if finished tiding up, i checked again how session variable files are handled. To my disappointment, if session is not deregistered, session variable file stays on server (it has been 2days).

If system goes live, I will end up with thousands of session files.

Is there any way to control that?

Will appreciated your suggestions.

Below is my authentication script.

Max

<?
session_start();

require("config.php");

// $login_status - user logged in = 1, user not logged in =0, user can not be found or incorrect details =2, have not tried to log in yet or have logged out =3;

if ($email && $password) {
// if the user has just tried to log in

$useremail = strtolower(trim($email));
$password = base64_encode($password);

// Connect to DB
@$db = mysql_pconnect($mysql_host, $mysql_user, $mysql_pass) or die ("Could not connect to database server");
mysql_select_db("$mysql_db") or die ("Could not connect to database: $mysql_db ");

// Mysql query to get results
$query = "SELECT * FROM users WHERE useremail='$useremail' AND password='$password' LIMIT 1";
$result = mysql_query($query);
if (mysql_num_rows($result) > 0) {
// if user are in the database register the user

                       $row = mysql_fetch_array($result);

$valid_user = ($row["user_id"]);
$query = "UPDATE users SET last_logon = '$today_date' WHERE user_id = '$valid_user' LIMIT 1";
$result = mysql_query($query);
mysql_close($db);

$first_name = stripslashes($row["first_name"]);
$last_name = stripslashes($row["last_name"]);
$username = $first_name." ".$last_name;
session_register("valid_user", "username");

}
}

if ((session_is_registered("valid_user")) && (session_is_registered("username"))){

$login_status = 1;
} else {
//$useremail = strtolower(trim($email));
if (!empty($email)) {

  // if they've tried and failed to log in
  $login_status = 2;

} else  {

  // they have not tried to log in yet or have logged out
  $login_status = 3;

}

//not logged in
///$login_status = 0;
}
?>

sp0rk

I'd recommend a read of the session handling configuration options.

http://www.php.net/manual/en/ref.session.php

I suspect these two should be of some intrest to you:
session.gc_probability
session.gc_maxlifetime