How can i unlink a user’s session file from session_save_path(); when the user do not logout correctly and just leave the website ?
I am asking this question because i need to count users currently online and when some users do not logout by pressing the logout link the session file remains in sessions directory.
i tried ini_set (session.cookie_lifetime, “0”); but it did not work after the browser is closed , any ideas ??
From what I understand you want the session file to be deleted when a user closes the browser? I don’t think it can be done because when the browser is closed it does not send any information to the server so you never know if it’s been closed or simply left open. You can use some workarounds like treating users not active in the last 5 minutes as “not online”. Or, you could use some javascript to contact the server every minute to let you know the user has still his browser open - but that could generate some heavy load on the server depending on the number of users.
I prefer the first solution because it’s less resource hungry and to me a bit more trustworthy - if a user minimizes his browser and spends time doing something else then in practice he is not “online” for the community because he is not active. For other users it usually makes no difference if I minimize my browser, hide it behind other windows, leave it open in front but go out shopping, or simply close it - in any of these cases I’m not active on the site so I’m not really there.
Thanks for your reply
But from what i already read in php.ini file , setting session.cookie_lifetime to 0 means that when the user closes his browser the session cookie is deleted from the sessions folder but you are saying the opposite!
anyways i figured out a nice technique to do it , i simply check the session file’s lifetime using php filemtime function and specify a specific time limit and if the session file lifetime is older than the filemtime specified i read the sessions directory and unlink this session file .
it is something like this :
$sess_path = session_save_path();
$handle = opendir($sess_path);
while ($handle = readdir($sess_path)) {
foreach (glob("$sess_path/sess_*") as $filename) {
if (filemtime($filename) + 1800 < time()) {
@unlink ($filename)
}
}
}
So what do you think about that ?
Where did you get that information? It simply can’t be true. It is not possible for the server to delete files from the session folder when the browser is closed because the server has no way of knowing that the browser is closed! The browser does not communicate the fact of closing to the server. Cookie lifetime 0 means the cookie will be deleted from the browser when closed but not from the server. So technically it would be possible for you to close the browser, open it, inject the session cookie back to the browser’s memory (by using an extension or some hacking) and go back to your site and be still logged in. The server would not know that you closed and reopened the browser.
anyways i figured out a nice technique to do it , i simply check the session file’s lifetime using php filemtime function and specify a specific time limit and if the session file lifetime is older than the filemtime specified i read the sessions directory and unlink this session file .
it is something like this :
$sess_path = session_save_path();
$handle = opendir($sess_path);
while ($handle = readdir($sess_path)) {
foreach (glob("$sess_path/sess_*") as $filename) {
if (filemtime($filename) + 1800 < time()) {
@unlink ($filename)
}
}
}
So what do you think about that ?
This will work but looks ugly to me. I see two problems with it:
-
The script will take some time to perform if you have many session files. It can be partially remedied by using a cron job every minute or so.
-
This is like hacking the internal session mechanism. If later on you switch to storing sessions in a db this code will fail.
I would suggest storing the time of user’s last visit in a session variable and then simply check the time and destroy the session if necessary:
session_start();
if (isset($_SESSION['last_visit']) && $_SESSION['last_visit'] + 1800 < time()) {
// destroy the cookie and the session
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_destroy();
// start a new session
session_start();
}
$_SESSION['last_visit'] = time();
This code is not tested but an idea to implement - that would be much more reusable. You would need to test if calling session_start() the second time is possible (I’ve never done it) - if not then you can simply use header() to redirect the browser to the same page. The code for destroying cookie and session is taken from the manual.
Thanks Lemon juice , that was serviceable 
I think i would rather try your peace of code .
Thanks again for your help .
This would be possible to implement with using javascript and window.onbeforeunload eventlistener. You just have to write your code so that the page newer reloads completely when using the application (possible with Ajax or frames). Onbeforeuload event is triggered when window is being closed or page is refreshed, so you could send an ajax request from onbeforeunload, which instructs the apllication to delete the user session. But you can’t implement this on serverside only.
Thanks alot for your help , but fortunately u do not code in Js 
And anyways i figured out a nice technique to do it and it succeeded
You could also set
session.gc_probability = 1
session.gc_divisor integer = 1
in php.ini
This way expired session files are deleted on every reguest. It does the same thing as that php script.