PHP - is there a way to really destroy a session?

[lozina]

I was hoping there was a way I can initialize a brand new session when the user logs out, so if he logs back in again his session id is different.

session_destroy() does not change the session id.

so if they were to immediately log back in instead of closing the browser, it would be the same session id.

 

[TeamZero]

You can assign Session IDs I believe, perhaps you could make use of a random number and assigning session IDs?

 

[jjones]

http://www.php.net/manual/en/f...sion-regenerate-id.php

 

[lozina]

Originally posted by: jjones
http://www.php.net/manual/en/f...sion-regenerate-id.php

lol, I was just looking into how to set the session id based on TeamZero's suggestion and when I found a page referencing the function I saw that regenerate session id function, but before i was able to post my findings i see you have already replied with it 🙂

hey how's your ear infection??

thanks fellas

 

[troytime]

i wish i had the opportunity to use sessions more

i'm stuck with always using cookies

 

[lozina]

Hmm, how does the whole session expiration work in PHP anyway? I am really confused...

I did a test page which just calls start session and prints out current date/time and session id. THen i left that browser idle for over 2 hours and refreshed the page. I got the same session id. 😕

First output:

f538a97532b9da00c4eb90d2b9187484
Aug/03/07 08:43:23 am

Second output:

f538a97532b9da00c4eb90d2b9187484
Aug/03/07 10:58:06 am

So if the session id does not change, how do you determine that the session expired?

I only did this test after I logged into my little app last night, then put my laptop in hibernate overnight and this morning when I resumed my laptop and went to the still open browser and click refresh I was shocked to find my app thought I was still logged in, because I base it on session id...

Attached is the test.php that produced the output above

 

[jjones]

Unless you specify a session cookie lifetime, the session is open as long as the browser app is open.

See: session.cookie_lifetime

Here: http://www.php.net/session

 

[lozina]

Originally posted by: jjones
Unless you specify a session cookie lifetime, the session is open as long as the browser app is open.

See: session.cookie_lifetime

Here: http://www.php.net/session

Hmm, I cant seem to get this working...

I modified my php.ini and set cookie_lifetime to 3 seconds

then I ran that test page above with the following addition to confirm the setting I had changed:

<?=ini_get("session.cookie_lifetime")?>

and I see it is now 3 seconds when it used to be the default 0, yet still if I wait > 3 seconds and refresh the page, I get same session id.

 

[lozina]

Edit: Nevermind! I did do something wrong.. despite the page refreshing with the right information the browser was still caching probably the old cookie lifetime... and it even stuck with a new browser window I opened (while an existing window was open so I guess it just shared session). Once I completely closed all firefox windows and restarted it, it is behaving as we expect it to! thanks!

 

[lozina]

Here's another question- how can I keep the session alive?

After setting the cookie liftetime to 10 seconds for testing, I find that no matter what I do, I get timed out. For example, I log in, and I just keep going between two pages thinking this would keep my session alive. But sure enough after 10 seconds of flipping pages, I get timed out (session id changes). Why?