ok:

1.

Use: unset($_SESSION['variable_name']);
and: session_destroy(); (no capital)

2. I would set it up like this:

3. not sure, i dont think so (i assume you mean for if a user just closed their browser, you would want a function to run when the session is destroyed on the server)

4. You may be able to if you know where the sessions directory is (usually called "tmp"), but there may be some security issues.

hope this helps.

<<<1. how you best terminate a session>>>
session_start();
setcookie( session_name() ,"",0,"/");
unset($_COOKIE[session_name()]);
session_unset();
session_destroy();
<<<2. how do you best detect if there is an active session or not.>>>
Strange question. If a page php is requested, the webserver will create a session or use an existing one. So before you get at (for the standard PHP cofiguration) or past session_start(); (if autostart if not enabled), there is an active session. So there is no point is testing it.
<<<3. can you code to session timeouts?(run a function on session timeout.)>>>
You can set the 'garbage collection'-parameters which cause the timeuts. But you can't specify a fixed timoutlimit like 15 minutes or so.
<<<4. can you get the total number of sessions?>>>
Beats me. Never wondered if this is possible. Why do you ask ?

Sorry to jump into this thread, but the answers to 1) - would that be how you could let a user logout? Not looked in any great detail, but its something I will need to do sometime soon!!

Yeah, the ways shown are two ways to make users logout.

Well, depends on your setup of course.

Nightfire is right for most conventional login-checks where a sessionvariable is set after login, and checked against on top of each page. Which is fine for most applications.

But i find this is a misuse of sessions with serious security and userfriendlyness issues + sessionmanagement and login-checks don't have the same goal, so I always do my sessionmanagement based on a 'sessiontable' i keep in my db.

ty raf for the end session code work way better than the one I had that didn't work .


2. what I mean was if there where a way to detect if a user wrote an url to a page past my login page so he bypassed the login currently I am using:
<?
session_start();
if(!isset($USER))
{
$ErrorMsg="You accessed a page, in the <br>game without being logged in";
header ("Location: login.php");
}
$USER is registered in the php file, problem is this don't really seem to be working all that good(not working at all).

3 & 4. getting the number of sessions and if you had a garenteed session killer script, would be an easy way to get the number of users online.

We need to se some code to help you. For instance the code where you set the sessionvariable.
Also,
if(!isset($USER))
is real unsafe.
if i would type http://whatever.com/adminsection/top...r.php?USER=bla
then if(!isset($USER)) will probably return true.

You either need to turn register_globals to off or set all variables to '' at top of the page, or specify the collection of the variable you check against

The problem is that you don't know when a user leaves your site, if you rely on sessions. And depending on your trafic, sessions will timeout after a longer period. There are also other concerns like for instance, go to this thread http://www.codingforum.net/showthrea...5&pagenumber=2 and look for cg9com 's post with a link to the multimedia-forum. Then hit the home-link at the top. You wil see that the text claims you are not logged in etc, which means that at that time, you have 2 active sessions, since in your initial window, where you opened cg9com's link, you are logged in and able to post.

You see? all sort of weird stuff can happen (like people without cookies that manipulate the querystring and get a new session etc), that will mess up your count.

So even if you would get the number of active sessions, then this will never be accurate. There are probably ways around all this, but in the end, i personally do not think it is worth the efford for a 'nice-to-have' feature.
At some point, if you realy want to control/log the navigation of your user, then you need to add a sessiontable in your db, where you keep track of the last requested page and where you can for instance, set a timoutlimit on a per page basis.

In an app i am currently working on, i use my sessiontable, and if the user didn't use the logout link, he gets a notification when he logs back in + his 'carelessness' is logged, which will enable the administrator to take appropriate action towards that user, if he continues to log out inappropriately. I think that educating the users is a better/only approach towards enhanced security and efficient use of your site.

I like that punish the user for being careless .

anyway my brother asked me why I had these:

setcookie( session_name() ,"",0,"/");
unset($_COOKIE[session_name()]);

Because you copied them from my post.

The first line will make the sessioncookie timeout. You can not delete a cookie that is stored on the client. But you can 'reset' is. The 0 means that it will timout after 0 seconds. If your realy concerned, you could change it to -1000 or so.
--> clean up the clientside
The second line kills the existing session-globalvariables
--> clean up the serverside

The session_destroy() then finally destroys the instance of the session-object for that client.