Page 2 of 2 First 12
  • Jump to page:
    #16
  1. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,846
    Rep Power
    6351
    Since you're no longer storing sessions in the operating system's temporary directory, you may have to set up your own session save handler which does the garbage collection for you and deletes old session files.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  2. #17
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    33
    Rep Power
    2
    Hi!

    Thank you for the much needed help!

    I have a question though. When I read the PHP manual for session_save_handler, I found the following sentence in it.

    "The garbage collector callback is invoked internally by PHP periodically in order to purge old session data. "

    What does it mean? Does the gc (garbage collection) happen automatically anyway? What is the frequency of automatic gc callback? Would it be absolutely necessary to use session_save_handler if it is automatic? Noticed the word 'may' in your reply, that's why I am asking.

    Thanks in advance for your reply!
  4. #18
  5. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Originally Posted by mozart66
    What does it mean? Does the gc (garbage collection) happen automatically anyway? What is the frequency of automatic gc callback? Would it be absolutely necessary to use session_save_handler if it is automatic? Noticed the word 'may' in your reply, that's why I am asking.
    The garbage collector does run automatically (specified in the php.ini by session.gc_maxlifetime, session.gc_probability and session.gc_divisor):

    http://www.php.net/manual/en/session...gc-maxlifetime

    However, since you changed the save path, ManiacDan assumed that you might have to define your own session routine. But I tested it on my local server, and it's not necessary. The sessions get deleted like they should.

    What's the return value of session_destroy when you call it?

    Note that currently you do not delete the session cookie. So even when you delete the session file, it will be recreated (empty) as soon as you call session_start again for that user -- which is a security risk. Delete the cookie (see the manual page on session_destroy) and call session_regenerate_id when a user logs in.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  6. #19
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    33
    Rep Power
    2
    Originally Posted by Jacques1
    The garbage collector does run automatically (specified in the php.ini by session.gc_maxlifetime, session.gc_probability and session.gc_divisor):

    http://www.php.net/manual/en/session...gc-maxlifetime

    However, since you changed the save path, ManiacDan assumed that you might have to define your own session routine. But I tested it on my local server, and it's not necessary. The sessions get deleted like they should.

    What's the return value of session_destroy when you call it?

    Note that currently you do not delete the session cookie. So even when you delete the session file, it will be recreated (empty) as soon as you call session_start again for that user -- which is a security risk. Delete the cookie (see the manual page on session_destroy) and call session_regenerate_id when a user logs in.
    When session_destroy() is being called in my log out script, no $_SESSION data can be seen (used var_dump for $_SESSION) before or after the session_destroy() as there is session_unset() before session_destroy() in my script. In my log out script none of the session variables get printed when I try var_dump or even echo. Though for session_destroy() to work, I do have session_start() in the beginning of the script.
  8. #20
  9. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    We need to know the return value of session_destroy():
    PHP Code:
    $destroy_retval session_destroy();
    echo 
    'session_destroy: ' . ($destroy_retval 'true' 'false'); 
    The content of $_SESSION tells you nothing about whether or not the session file exists. Focus on session_destroy() and check if it works (i. e. deletes the session file).
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  10. #21
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    33
    Rep Power
    2
    the session file is getting deleted after the log out!!
  12. #22
  13. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    So it does work now?
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  14. #23
  15. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    33
    Rep Power
    2
    YES!! Thank you! That's exactly what I was looking for! For the session file to be completely removed after the logout! The new session directory on the web server has read / write / execution permissions and there is another person from client's end besides me who has access to it from outside. If he / she accidentally gets into this directory and without realizing plays with it, there could be problems and that was the reason I wanted the session files to be deleted and not just the session variables to be unset. Looks like what I am currently doing is giving me the required results!

    Thank you once again!
Page 2 of 2 First 12
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo