Well, I am going straight, How can i store session into database? I have tried and stored session into database but It will delete automatically from db because of codeigniter database garbage collector.
I don't know how to keep all the sessions? I don't want to delete any session from database. I don't want to delete session until database user delete the row.
Moreover, I want to develop user can log out from all the sessions.
Please share your thoughts. thanks.
Set the session expiration value of sess_expiration in the config to 0 if you don't want it to timeout unless the browser is closed, or set it to an crazy amount like 5 years.
sess_expiration: The number of seconds you would like the session to last. If you would like a non-expiring session (until browser is closed) set the value to zero: 0
The config file is found at: application/config/config.php
You can also disable automatic session regeneration by setting sess_time_to_update to 0.
Reference: https://codeigniter.com/user_guide/libraries/sessions.html#session-preferences
Set the $config['sess_expiration'] = 0 for lifetime.
Related
I'm using a simple, custom session wrapper class to store user sessions in the database, but I'm confused with how to accomplish long-term saved sessions while having short term sessions as well.
I give the user the option to "Keep me logged in". If this is set then I want to keep their session saved for 6 months. If it's not set then I want to keep their session saved for 2 hours. I don't want this 6 month period to keep extending... even if they log in every day, after 6 months their persistent login will be cleared.
If I set session.cookie_lifetime and the garage collection variable session.gc_maxlifetime to something like 6 months or more, then the people with only the "2 hour session" will be leaving tons of unused sessions that won't get cleaned up by the garbage collection until 6 months or more. I'd rather keep session.gc_maxlifetime set to a more reasonable value.
I'm thinking what I should do is create a cookie (not the PHPSESSID cookie because I don't want garbage collection to clear it) that contains the last used session id, and set the expiration of that cookie to either 6 months or 2 hours, depending on if they checked "Keep me logged in" or not. If someone starts a new session and they have this cookie saved, it will try to match the cookie's session id to a saved session in the database. If the same session is found, it will change the session id to their new session id and update the database record, continuing their session. If it's not found it will create a new database entry.
Does this sound like a good way to accomplish what I want? Are there any security issues with this?
I'm a bit confused with this,
Say the session has been started with default php ini settings where gc_maxlifetime is 1440 seconds. And i supposed to use remember me functionality with this, to which i set cookie lifetime as 14 days. As long as the session max life time set to 24 minutes which is obviously lesser than cookie life time (14 days), after 10 days (for example) the session likely (of course depends on gc probability) to be expired and would have no reference to the session id the remember me cookie has.
So how would setting a remember me cookie lifetime longer than the session lifetime remember/resume the session? or do i need to change the session max lifetime according to the cookie lifetime?
Generally a "remember me" cookie is a persistent cookie, not a session cookie. It contains some encrypted information which allows an automatic login action to occur. i.e. When there is no active session already, but the "remember me" cookie is present, then a new session will be started.
The session GC function will delete session data (which is by default kept in plain text files), while the cookie settings will delete the cookie that keeps the session id.
In order for a session to be active, its data file, and a cookie with its ID must exist (AFAIK).
...or do you only need to start a new session?
I've been given the task of fixing a bug that causes sessions to expire even though the session.gc_maxlifetime is set to 8 hours (It does get set, i've checked).
After going through the code, i noticed that session_start() is called on every load, as predicted, but the login-data sessions are only set when the user logs in.
Do i need to set the user data sessions on every page load for the session-lifetime to reset?
I need the session to be alive for 8 hours, even if the page doesn't reload.
You need to set the session variable again.
One method, use $_SESSION['last_click_time'] = time(); and compare it. If it's outdated, refresh the session variable, log the user back in, etc etc.
You are probably using the default location for session files and it's a temporary directory shared by all web sites on the server. In that case, the site with shortest session.gc_maxlifetime will probably remove session data from all sites. The reason is that there's no way to determine what site owns what session file.
You'll need to create a custom directory for sessions and specify it with session.save_path
This may seem trivial.
What will happen to a session that was never destroyed/unset/write_close-d?
Lets just say I have set the session to never time out. What will happen to the session if person finds himself at the login page and logs in using different credentials. Also just for the testing purpose, the login page doesn't have redirect if session is set.
Will it overwritten and destroyed or never destroyed?
If your login sets all of the session variables, the session will be effectively destroyed by the new values.
If there is a variable that's in the session that isn't overwritten by the login, then it will persist. The session is overwritten rather than destroyed and set again.
if he logs in using different credentials with an already started session, the session will be simply overriden...
in the case, that the user deletes his cookies etc., a new session will be generated and the old one MAYBE will retain as session-file or in DB...
(depends on the php-settings)
Sessions will be destroyed implicitly after timeout. The number of seconds for timeout can be specified in php.ini . Default is 1440 seconds or 24 minutes.
You have to set some arbitrarily large value for session.gc-maxlifetime to seemingly never time out.
If you let someone else to go through the login process, it must overwrite the existing session. But all this ultimately depends on your code.
I have a web application that pings a database every minute or so to check for new entries. The page is designed to not really have any interaction with... You just keep it open and it displays things. The page is password protected, and the site can be up for a coupe days without anyone clicking in the web browser or anything. I've found after it's up for like a day or so it stops checking the database (through an Ajax request) and then if you refresh the page manually it brings you to the login page again. I'm assuming that's because the session which has the login information expires. I never set an expiration time, but does PHP automatically destroy the sessions after a certain amount of time? What do I do to fix this?
Thanks
Thanks for all the replies... Is there a way to set the session to never expire with out just changing the PHP settings themselves?
The default value of session.gc_maxlifetime is 1440 seconds. So the garbage collector assumes a session to be expired when the last modification was at least 1440 seconds ago.
Note that when using a cookie for the session ID it might have a different lifetime. The default value 0 of session.cookie_lifetime makes the cookie a session cookie, that means it expires when the browser session is ended (i.e. the browser is closed).
See also my answer on How do I expire a PHP session after 30 minutes? for further information on session expiration.
From php.ini:
; Lifetime in seconds of cookie or, if
0, until browser is restarted. ;
http://php.net/session.cookie-lifetime
session.cookie_lifetime = 0
That would be the default if I'm not mistaken. Either set it to zero (if it's not already set) or just use another cookie.