garbage collection on session files

sfullman

In other systems you're logged out after x minutes of activity. I've found from my experience this doesn't work on my server.

I know that a session starts a session file in a TMP directory; every time a session start is called on a page, the file is (I guess) at least touched even if no vars are written. The file will eventually be cleaned up by garbage collection.

But how do you control the garbage collection? From my experience I can be on a logged in section of my site, not touch it for hours, and come back and still be logged in.

Thanks,
Sam

beckjo1

i've set my session start php to expire the cookie after 5 minutes of inactivity. Maybe something in the php code i am using will help you ...
<?php
//this file is the gateway file. dont put anything to display here, because it is meant as a reroute

session_start(); //start the session
//i used an include file for all of my db stuff, makes it a LOT easier for creating new pages
include("includedb.php");

//added this part because if someone hits submit with the username/password boxes empty, you could get in
//so i set the string length to less than two, but you can use any number you wish - its dependent
//on how long your usernames and passwords must be

$loginstr="$username"."$password";
$loginstrlen=strlen($loginstr);

if ($loginstrlen<2){

//confused on headers? see the manual
//this means - go to index.php

Header("Location: index.php");
$error = 1;
session_register("error");

}

//this part is from phpbuilder.com
if (@$username && @$password) {
$res = @("SELECT username,password FROM $connectdb1 WHERE username='$username' AND password='$password'");
if(@mysql_num_rows($res) != 0) {
Header("Location: pageone.php");
$verified_user = $username;
$verified_userpw = $password;
session_register("verified_user");
session_register("verified_userpw");
//setting a cookie to expire in 300 seconds (you can change it)
//this will not let someone do something after a certain amount(60 seconds) of inactivity
//
//change the domain to match yours
//or else you will have problems
//dont forget to use two .'s

    setcookie("time",$PHPSESSID,time()+300,"/",".cadencebackgrounds.com",0); 
    }

else {

//if you are bad, you go back and reenter your password, mister!
Header("Location: index.php");
$error = 1;
session_register("error");
}
}
?>

hope it helps. I've tested it and it works even though I haven't uploaded the login area yet

Weedpacket

See also php.ini - there are a whole pile of session-related settings to play with there, and documentation about how to use them.