Major problems with sessions

shane1090

Hi, i;ve almost completed my site, but just came across a huge bug involving sessions. When i log onto the site (once logged into the site you come to another screen with a link that opens up a popup window which is where my game is played from) the game is fine, all information is put into the correct parts of the database etc, and it runs fine. If i was then to just close down the windows without logging out properly, then login as someone else, all the previous sessions are still stored so the information goes into the wrong database's.

I have no idea how to fix this, and was wondering if their was some sort of script that could destroy the sessions if the user closed down the window.

Any help will be most grateful as the sites meant to be launched tomorrow!

Thanks

bastien

Welcome to the biggest headache of the internet. There are a few ways to mitigate the problem

Shorten the timespan until the session logs out(without activity) Default is 20min.

Try using a js routine using the OnUnload function to fire a message to the server to destroy the session data.

None are 100% reliable.

trooper

What you want to do is ensure that your session lifetime is set to 0

That way when the browser is closed (remember that means all browers not just the one you playing the game on) then the session will die

HTH

CrashRoX

Originally posted by bastien

Try using a js routine using the OnUnload function to fire a message to the server to destroy the session data.

[/B]

The OnUnload will only work in IE I think...

When you have the second user login, have it create a whole new session_id either using he built in php session_id() function. Or write a little function to create random session ids. Another idea is recording your sessions in the database. Then you can limit the lengths (via a timestamp holder field), and you can store the users uniquely in there.

Diomedes

I don't know how you store the user session id, so I can't be really precise.
If you are using a database like MySQL to store session data, you usually retrieve session informations from a table (say "session"). So, when someone wants to close your game window, the idea is that the action of closing the window makes a function run (say "delete_session()") that cause the table "session" been rid of the user session data. Next, the same function unsets the cookies stored on the user computer.
Hope to have given an useful hint.

P.S.: if you can, DON'T ever use javascript.
Use it only as the ultimate resource!

Weedpacket

Originally posted by trooper
What you want to do is ensure that your session lifetime is set to 0

But then of course everytime anyone (including, I wouldn't be surprised, yourself) hits the server there is a 1% (by default) chance that your session will be demolished no matter how quickly you're moving around the site.

The session will die when you close down the browser no matter what the lifetime is, because the browser loses the session ID in the process. The session data is still sitting on the server for the life of the session (after which it becomes eligble for garbage collection), but no-one's going to be using it because they don't have the session ID.

bastien

there was an article on this site about a custom session handling. It may or may NOT meet your needs, but you might want to look at it....

yelvington

The situation Shane describes -- "all the previous sessions are still stored so the information goes into the wrong databases" -- doesn't make sense.

PHP session cookies are, by default, set to a lifetime of "0," which means any normal browser will delete the cookie when the browser is closed.

Without the cookie, there is no "handle" to grab the data that might or might not persist server-side. In other words, this problem does not exist.

If you are propagating the session ID in the URL, and allow that to continue through a new login, that's your own fault.

shane1090

No, what i have stated is completly true. I created a login script, which use's sessions. For some reason when i logged out, then logged back in again (closing all browsers then loading them back up again), it thought i was the past user, and all information went into the wrong database.

For some reason, its fixed itself now, and their is not a problem - hopefully.

Thanks for all the feedback