[RESOLVED] Check a session w/o extending it.

Chris_96_WS6

I manage a corporate web app. The PHP sessison limit is set for 24 minutes on the server, and I cannot modify it.

Users complain that if they leave the app open and come back to it later, it "kicks" them out to the login page w/o warning. Obviously to you and I, their session has expired. This is frustrating if the user was submitting a form that sat in their browser inactive while the session expired.

So, I've come up with a session expiration notice. Using AJAX, every minute I make a call to a php script which checks for the presence of two key session variables.

The only problem is that running the script extends the session length since it registers as session activity.

How can I check on a session w/o extending the session? Could I check a session ID w/o using session_start(); ?

Here's my session checker script:

session_start();

if( !isset($_SESSION['VUNETID']) || !isset($_SESSION['PersonIndex']) ) {

   echo "1";

} else {

   echo "0";	

}

If "1" is returned to xmlhttp.responseText, the AJAX script then displays a shadowbox which prompts the user to return to the login screen and re-authenticate.

Chris_96_WS6

I think I found a way around this. testing it now...

I created a new variable $_SESSION['last_activity'] = time() which is set at login and updated each time a page is accessed during the session.

Now the PHP script looks like this:

// check session variables

session_start();

if((time() - $_SESSION['last_activity']) > 1800 ) {

   session_unset();	
   session_destroy();

   echo "1";

} else {

   echo "0";	

}

So instead of relying on the native session timeout, I'm extending it every 60 seconds when the AJAX call is made, but I'm also checking the current timestamp against $_SESSION['last_activity']. When the difference is greater than 30 minutes, the logout notice will pop up.