how to set session_timeout()?

I currently develope a Members Area using Session. It is going quite well since I got into this matter I just don't know how to set it up. Could anyone give me some of your times to solve this problem? I would appreciate very much. The question is:

I have created a Members Area using Session Array Vars they are not saved into database. Everytime users logg in and they forget to LOG OUT and leave their Session Array Vars valid wandering around. It could be an insecurity hole on their browsers. I just wanna to create a session time out or any thing that will automately destroy the Session Array Vars in a certaint amount of time from the time they log out.

Thanks,

if you are not saving the session vars,...then when the user closes the browser, the session should end.

I don't think it will be ended. If I know session id I still be able to log in the members area. Correct me if I am wrong. Thanks.

I dunno,...but how would get that anyway if you are an end user?

if you have session_start(); on every page,....do a check to see if some session_var is set,..if not,..kick them out to the login page

By default, session variables are stored as text files in a temporary directory.

If you are testing this on a windows machine, go look in c:\temp after creating a session in the browser.

Now, what happens when a user closes the browser?
The session is dumped. It is no longer valid. Don't worry about the temporary files hanging around... they don't get deleted for a while.

The deletion of your temporary session files are due to a setting in the php.ini. you can also set this at run-time.


It is called session.gc_probability.
It is set to "1" by default.

If I am correct, this setting means that you have a 1% chance on each hit of that page that the contents of the temporary directory will be checked for deletable files.

So basically, the rule I use is:

On low traffic sites, if you want this deleted a lot, set it high.
On high traffic sites, it will get deleted quickly because there is lots of traffic, so set it low as to keep from having your hard disk spinning too much.

Thank you very much for all your helps. They mean so much to me. I have learned a lot from you guys. But all of your messages have not helped my problem solved. Allow me to make this clear.

All of my codes have been testing from a remote server.

I do have a checklogin() function on every members area page.
If I had my SessionId; I still be able to login, I think the session will not be destroy. Because I have tested several times.