detecting session timeout or tracking concurrent sessions

**Erwin Moller** · Oct 23 '06, 09:05 AM

Re: detecting session timeout or tracking concurrent sessions

runner7 wrote:

Can anyone tell me if there is a way in PHP to determine when a session
times out on the server or how many concurrent sessions there are in
your application?

Hi runner,

This is how PHP implements sessions:
If you use session out of the box, they use filestorage.
Every time a request to php is made that uses a session, PHP tries to
retrieve the accompanying file based on the sessionid.
If that file is too old, the session is considered gone and you'll have to
start a new one.
From your scripts point of view there is no session at all when this
happens.

In this sheme you cannot 'do something' when a session expires.
Also you cannot easily find out how many session are active, but it can be
done:
- Count the number of not stale PHP sessionfiles in the directory where PHP
stores them.

To gain more grip on sessions, you can use databasestorage of sessions.
You'll have to write your own sessionlogic, and change your the php.ini, or
use session_set(), as follows:
session.save_ha ndler = "user"

and you'll also have to write some routines.

Read more here:

http://nl2.php.net/manual/en/ref.session.php

and for your own sessionhandler:

http://nl2.php.net/manual/en/function.session-set-save-handler.php

It also contains links to examples. Read the usercontributed notes too.

Good luck.

Regards,
Erwin Moller

**Rik** · Oct 23 '06, 02:35 PM

Re: detecting session timeout or tracking concurrent sessions

runner7 wrote:

Can anyone tell me if there is a way in PHP to determine when a
session times out on the server or how many concurrent sessions there
are in your application?

Not directly.
As indicated by Erwin you could create your own session-handler, but I
usually opt for another option:
- use the normal session-handler to create sessions.
- store all date (including time of last action, etc.) in a database.

Now on a pageview, a custom session include does the following (note I only
use sessions on sites that require a login, so you'll get that flow too
:-).

- session_start() ;
- check in the database which session-ids are timed out according to your
own logic, and:
- delete them from the database.
- possibly log them
- possibly perform other actions
- check wether this user is blocked (either by user-id or IP (be carefull
with IP-blocking! IP's are mostly dynamic nowadays, and if you block one
IP, you could end up blocking a user you don't wish to block).
- check the session-id the determine wether the user is one of the already
logged in users.
- now you can check how many people are logged in atm in your database.
- if the user isn't logged in, and only a certain number of users may be
logged in, determine wether this use is allowed to login.
- if the user is allowed, possibly check for a previous set cookie (when
the user has perhaps indicated to keep him logged in).
- if not, check login parameters from a form, and check those against
username & password.

Essentially, this script will only time-out sessions when the/a page is
requested. On a site with medium traffic, or when your logging out logic
doesn't really require a precise time, this will be OK.
--
Rik Wasmus

detecting session timeout or tracking concurrent sessions

detecting session timeout or tracking concurrent sessions

Comment

Comment