Check if php variable with value exists on the server

Question

My site requires users to log in after which the user's id is stored in a session. The db has a field called 'logged_in' with a value 1 when they log in and is changed to 0 when they log out. Problem is that if the user just closes the browser the value stays as 1.

I know that I can check to see if a session exists on the server but can I check if a session with a specific value exists? I guess the literal code would be

if(!isset($_SESSION['user_id'] == 41)){
   // do stuff because session with value 41 doesn't exist
}

Answer 1

Don't use the Database to track users login State. Have a look at $_SESSION-Array.

Sessions will timeout according to your timeout value set in php.ini.

Helpful links:

• session_start: https://www.php.net/manual/en/function.session-start.php
• session_destroy: https://www.php.net/manual/en/function.session-destroy.php
• session-timeout: How do I expire a PHP session after 30 minutes?

a session is unique per user - so you wont have any conflicts, even when handling 50 Million users at the same time.

Imagine a $_SESSION to be an array that is UNIQUE to a certain user. (actually it's nothing more, the server willt take care on providing the correct array, if the user send the correct session-cookie - which in turn is nothing you (or the user) need to take care of - his browser will do!)

---

In a nutshell: Free your mind of handling multiple sessions by comparing ids. The array $_SESSION will ALWAYS be the one associated with the current user, if started properly.

Your server will always return exactly one Session-Array, when accessing $_SESSION - the one, associated with the user, performing the request.

---

Create a simple "script", like this:

<?php
SESSION_START();

if (!isset($_SESSION["start_time"])){
  echo "Session started at: ";
  $_SESSION["start_time"] = date("Y-m-d H:i:s");
}else{
  echo "Session already existing. Started at: ";
}

echo $_SESSION["start_time"];
?>

Access the page from 2 different Browsers.

• On first access, you will receive the Session started at message.
• Second acces will deliver the session already existing Message with the already stored DateTime, UNTIL you call session_destroy() - or the session times out.
• You can refresh the page 10.000 times - the timestamp wont change anymore as long as the session is valid AND you are using the same browser (which transmits the session cookie automagicaly :P).
• You don't need to provide any user_id to make this work. Your server will (silently) provide you the correct $_SESSION-Array. Just write your website as if it would target one user, while storing user-sensitive values in $_SESSION-Array rather than $someOther-Array.

Answer 2

If you do need information in your database about login state, I suggest you store a timestamp of the last time the logged in, and perhaps the last time they were active, you can infer they are "logged out" if the session timeout has elapsed since the last active time.

Answer 3

You want to check if the session is set, and if it is, check if it matches the value:

<?php

if(!isset($_SESSION['user_id']) 
   || (isset($_SESSION['user_id']) && $_SESSION['user_id'] != 41)) {
   //session is not set, or value differs from 41
}

?>