On Feb 7, 2008, at 2:41 PM, Perrin Harkins wrote:

> Sure, it's a building block. You build the expiration part on top of
> it. Either you use a timestamp column in your database or you update
> a timestamp in the session data. Then you check that to see if too
> much time has passed.
> You can certainly build it on something else, like CHI (the new cache
> module interface). Or look at Apache::SessionManager or mod_auth_tkt
> for built-in support.

I do the timestamp trick..

you overload apache::session to add a 'last accessed' timestamp

then you do one of 2 things:

a- write a daemon/cronjob/@job to clear old sessions
b- have your apache module run a session-clear every 1hr or so
( storing last-cleared on a file or memcache )

it's easy to do.