php, how to detect is a session ID is dead or alive? [duplicate]

Answer 1

Use a $_SESSION[] when a user logs in and set the variable to be true. You can save some data in the session variable too if you need. Once user clicks on logout set the session variable to be false. The code could be as follows:

 function Login()
    {
        if(!isset($_SESSION)){ session_start(); }
        if(!$this->CheckLoginInDB($email,$password))
        {
            return false;
        }

        $_SESSION[$this->GetLoginSessionVar()] = $email;

        return true;
    }

function GetLoginSessionVar()
    {
        $retvar = md5($this->rand_key);
        $retvar = 'usr_'.substr($retvar,0,10);
        return $retvar;
    }

    function LogOut()
        {
            session_start();

            $sessionvar = $this->GetLoginSessionVar();

            $_SESSION[$sessionvar]=NULL;

            unset($_SESSION[$sessionvar]);
        }

This is one simple way of doing it. If you want a time out. You can use a start time for your $_SESSION[] variable and then set a time out time. Check for any activity till that time and then sign out like this:

function LogOut(){
session_start();
// set timeout period. This will be in seconds.
$inactive = 1000;
// check to see if $_SESSION['timeout'] is set
if(isset($_SESSION['timeout']) ) {
    $session_life = time() - $_SESSION['start'];
    if($session_life > $inactive)
        { session_destroy(); header("Location: logoutpage.php"); }
}
$_SESSION['timeout'] = time();

}

There could be more better ways of doing this. I am looking for a better way to do it myself . Hope it helps.

So if he closes his browser he will be logged out after inactivity anyway. But if you want logout after browser is closed check ini.session.cookie-lifetime

Answer 2

When the user logs in you should set a session variables to say they are logged in.

If the user logs out you should use session_destroy() to end the session.

This way the variable is destroyed, so if you check the session variables it will not be true. I personally use $_SESSION['isLoggedIn'] = TRUE.

Edit to add: If you want this to work on multiple browsers or computers you need to save the logged in or session ID to a database so you can check to see if the user is logged in elsewhere.

Answer 3

Generally speaking, the action of "logging in" is usually linked to some kind of persistency layer, usually a user's table/collection in a database server.

Sessions are created using this saved data at login time, and the saved data is serialized in some way into the $_SESSION superglobal.

If you wanted to globally track logins/logouts, you then need to save some ID of the user (usually an email or some login credential) associated with two monotonically increasing integers that represent the number of times they have logged in/out from anywhere.

There's no hard and fast rule that this has to be conducted in a DB, it just scales better. For a small or test case, you could just as easily save paging files.

The main idea is that to have any kind of data that lasts beyond the expiration time for the session_id cookie that references the session on the server, you need to implement some form of persistency.

Answer 4

For that you will need to log in youre user table, or switch to storing session in DB then you can check sessions against users (if you set it up that way).

Answer 5

What you would need to do is when he logs in to his account on a new browser, find the old sessionID associated with his account and expire it. When he clicks a logout button, you can then retire that sessionID.

EDIT:

Sorry I read your question wrong. What you want to do is set a session timeout so if the timeout is reached, you assume the session is dead and expire it. On each page request, you will renew the expiration so that it is live. If they login from another browser, you can assume the session in the old browser is old, and expire it right off the bat or let it expire with the timeout.

You can then check session timeouts on page load, or run a cron script that will run through the session database and expire all old sessions.