Derek Fountain wrote:
I have some code at the top of each page that says session_start() then
checks for a value in the session. If the person never logged in the
session is empty and they get bounced to the login page. But if the person
has been sat at a normal page for 15 minutes after logging in,
session_start() works as if a session ID has not been presented, starts a
new session which is empty and the user gets bounced to the login page!
I feel like I've missed a step. How can I tell if a user doesn't have a
valid session ID because they've never logged in, or whether they don't
have a valid session ID because their session has timed out?
Hi Derek,
You do not know that difference.
You can however check if the user is sending a PHPSESSIONID, and so TRIES to
continue the session (which stopped as far as the server is concerned).
If send: Chances are that that user had a valid session before, but it is
gone now (the value for the PHPSESSIONID is not stored anymore onthe
server, so PHP refuses to continue the session, as it should.).
This is not 100% foolproof, because the user could have faked set its own
PHPSESSIONID-cookie, but who cares?
(It is actually a little bit more complex because PHP can also use
URL-rewritting to add a sessionid, but the effect is the same.)
If you don't find a PHPsessionid, than it is probably the first visit.
Of course the excact behaviour depends on HOW you let the cookie behave, or
more to the point: how long it is valid.
I expect that if you say to the browser that the cookie is only 5 minutes
valid, it won't send it even after 10 minutes.
Regards,
Erwin Moller