PHP Session management

You probably should give the SESSION a duration.

Usually I let Drupal handle this, there is an autologout module, not sure how it works.

You could set a database timestamp, or perhaps a SESSION variable, and renew it with activity, or kill the session after a specified elapsed time...

Check out these search results

Yes and also, i have now transfered my preject to a test directory on my server. Rahter than expecting no user to be logged in there is a user logged in.

It seems my session management is not quite right.

My authentication stores the session variable generated after login in the database, then i have a auth function that checks the session in the database against the session variable.

I thought the session expires after 20 mins by default?

Why would i still be logged in after a few days and after transfering my site over to a different server.

Remember $_SESSION uses COOKIES by default, so it might be a case that the session is being set to a cookie in your browser/pc and not being deleted

I did not know that - your saying that any session set will also be set as a cookie by default?

This must be a php setting then?

Or i must unset and destroy all cookies with the same name.

you can try it yourself
set data to a session, goto another page and see if the session isset and has data
then unset the session, turn off your cookies in the browser and try it again

when you call "session_start()" (as i presume you are) php sets SID (session ID) and is default set in a cookie
It can be accessed by using that ID in URLS, but now we are getting into issues with SEO and security issues.

also, have a read of this if you haven't already
http://uk2.php.net/session
its technical rather than informative, but is worth reading through the functions you are using as it has some must read warnings
(i.e. "Do NOT unset the whole $_SESSION with unset($_SESSION) as this will disable the registering of session variables through the $_SESSION superglobal.")