detecting session timeout or tracking concurrent sessions

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Can anyone tell me if there is a way in PHP to determine when a session
times out on the server or how many concurrent sessions there are in
your application?

Re: detecting session timeout or tracking concurrent sessions

runner7 wrote:

Quoted text here. Click to load it

Hi runner,

This is how PHP implements sessions:
If you use session out of the box, they use filestorage.
Every time a request to php is made that uses a session, PHP tries to  
retrieve the accompanying file based on the sessionid.
If that file is too old, the session is considered gone and you'll have to  
start a new one.
From your scripts point of view there is no session at all when this  

In this sheme you cannot 'do something' when a session expires.
Also you cannot easily find out how many session are active, but it can be  
- Count the number of not stale PHP sessionfiles in the directory where PHP  
stores them.

To gain more grip on sessions, you can use databasestorage of sessions.
You'll have to write your own sessionlogic, and change your the php.ini, or  
use session_set(), as follows:
session.save_handler = "user"

and you'll also have to write some routines.

Read more here:

and for your own sessionhandler:

It also contains links to examples. Read the usercontributed notes too.

Good luck.

Erwin Moller

Re: detecting session timeout or tracking concurrent sessions

runner7 wrote:
Quoted text here. Click to load it

Not directly.
As indicated by Erwin you could create your own session-handler, but I
usually opt for another option:
- use the normal session-handler to create sessions.
- store all date (including time of last action, etc.) in a database.

Now on a pageview, a custom session include does the following (note I only
use sessions on sites that require a login, so you'll get that flow too

- session_start();
- check in the database which session-ids are timed out according to your
own logic, and:
    - delete them from the database.
    - possibly log them
    - possibly perform other actions
- check wether this user is blocked (either by user-id or IP (be carefull
with IP-blocking! IP's are mostly dynamic nowadays, and if you block one
IP, you could end up blocking a user you don't wish to block).
- check the session-id the determine wether the user is one of the already
logged in users.
- now you can check how many people are logged in atm in your database.
- if the user isn't logged in, and only a certain number of users may be
logged in, determine wether this use is allowed to login.
- if the user is allowed, possibly check for a previous set cookie (when
the user has perhaps indicated to keep him logged in).
- if not, check login parameters from a form, and check those against
username & password.

Essentially, this script will only time-out sessions when the/a page is
requested. On a site with medium traffic, or when your logging out logic
doesn't really require a precise time, this will be OK.
Rik Wasmus

Site Timeline