I think you need to think about your temp folder idea some more. You say that you are going to keep temp uploads and other things there that get destroyed after the user logs out. But if you are regenerating the user's session ID multiple times you will need to keep the temp folder in sync with that.
I always think about the way online banks do it when I approach this problem. They put a META refresh or perhaps a setTimeout() on the page and force a page reload. If the request came from the refresh, then you know the user isn't paying attention anymore and can dump the session. On 4/26/07, David Krings <[EMAIL PROTECTED]> wrote:
Rob Marscher wrote: >>> Is there any way I can check which sessions are currently active and >>> which aren't? I like to add some housekeeping code, but taking away >>> things from active sessions would be just mean. > > Check out the documentation for session_set_save_handler -- > http://us.php.net/manual/en/function.session-set-save-handler.php This > is how you can override the way php handles sessions by default and put > in your own code. The "gc" function (stands for garbage collection) is > where the "housekeeping" code goes. Note that the default php session > handlers should be cleaning up the expired session temp files for you > automatically. The location for these temp files is specified by the > session.save_path php.ini setting. Thanks for the pointer. I misused the term "temp file". What I do is create a folder that has to be unique and therefore is identical with the session id. That is not the temp folder that the web server / PHP creates when starting a session. I called it temp folder because I dump upload files and other stuff in there in order to do all kinds of things with it, once done the files are moved to the final resting spot. Since all this real client server and stateless stuff doesn't let me know when a client just went away, I have to come up with some way of cleaning up a bit at some point. When the client goes away right after an upload and before initiating the final submission, files may be left in there. While some stale folders and files are OK (although not nice), having them pile up over time will become a problem. So I need to keep track of the sessions that were generated through my script in order to ditch that folder with contents (annoyingly, there seems to be no PHP code word that does exactly that) when the session is most likely to be expired (24 hours later for example). >> My plan is to create a session, authenticate the user, then generate a >> new session ID for the session )I read that this improves security and >> is easy enough to do) > > As far as regenerating the session id after login, it *is* simple -- > http://us.php.net/manual/en/function.session-regenerate-id.php -- but if > you're overwriting the default session handler to store sessions in a > database table, you need to make sure that it's getting updated the way > you expect. Well, my idea is to start the session, do the login and authentication, when the user is accepted, regenerate the session id, and then write it to the table with a timestamp. I don't see any reason to write the first session id to the table, because I throw that one away soon after. I really only want to keep the ids because I want to clean up the folders that I created. Sounds like a workable and reliable approach to me...if I'd just had the time to finally do it. Working with ZIP files at the moment, which go to that session id folder as well. Still haven't really understood how the unpacking works and what this new and -> stuff is about, anyhow (OK, I read too much Bob Pease). Thanks for the help, David _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
_______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
