If the cookie is cleared, will the session destroy in php? - php

After logging in a PHP web application and then clear the cookie in inspect element, will the session destroy?? If so,why?

By default php will use a cookie to track a user across page views.
When the page is requested, the session cookie is included, the server matches the session cookie value to a session and then makes the session information available in php when generating a response.
If you delete the cookie in web inspector / console, it can no longer be included with the request and the session will not be matched.
The session still exists on the server until the garbage collection process removes it, but without that cookie, it will never me matched.

Related

Why PHP session destroys when clear browser's cookie

I have a little confusion about PHP session and session cookies.
Let me ask my question by giving an example of www.example.com.
When I login to www.example.com, it starts a session. So I'm logged in as a user on this website.
Now when I clear cookies in my browser, it deletes all the browser cookie.
My question is - Is the session at www.example.com destroyed when I clear the browser cookies even when I haven't clicked on logout button to destroy the session ?
So that explains what I want to ask.
Does clearing browser cookies automatically destroys PHP session even when you haven't done anything on a website that will call the function to destroy the session ??
Why PHP session destroys when clear browser's cookie
After clearing cookies PHP does not destroy session, it just cannot receive session id anymore (which is stored in cookies), so link between session data and current user connection is lost. PHP destroys session later, depending on its' config.
Does clearing browser cookies automatically destroys PHP session even
when you haven't done anything on a website that will call the
function to destroy the session ??
No, it does not. PHP has limits on session lifetime (see php.ini, session.gc_maxlifetime and session.cookie_lifetime), which basically define session lifetime. In addition to official manual, there's also a good explanation of how these settings influence session lifetime.
If you watch carefully, like through web inspector on Chrome/Firefox etc, then you can see that the PHPSESSIONID is set as a cookie. So if you delete all cookies then I imagine you delete this cookie as well and therefore the session doesn't know what ID to use.
It's Mechanisim of Session. You can read more here.
About Session (ussually Server Session). The Server saves all the Session user data on Server and retrives data by Session ID from client (by Cookies).
First time, Client sends a request to Server. The server has not found any Session ID from this request and responses a normal webpage and includes SET-COOKIE: SessionID=xyz
From now, every request from client will include Session ID = xyz (by Cookies).
If you clear Cookies, certainly the Session ID is gone.

When does a PHP session end?

I can't seem to find a definitive answer on the internet, so I'm asking here.
When one uses session_start(); in a .php script and saves some values, when does the session end? So when would those values not be accessible again?
I've found that refreshing the page or stopping the session code-wise would stop it, and a possible time-out would stop the session as well. But what about navigating away from the site and returning a minute later? And closing the browser?
As for the last one, on mobile, what does 'closing the browser' mean? Closing the tab or even minimalising the site?
If your session values are not linked to any cookie, the session will end when the windows browser will be closed.
If your session variable comes from a cookie, the session will end after time specified in the cookie file.
In PHP, sessions work with a cookie of type session. Server-side, the session information is constantly deleted.
To set the lifetime of a cookie in php, you can use the function session_set_cookie_params, before the session_start:
session_set_cookie_params(3600,"/");
session_start();
For ex, 3600 seconds is a one hour, for 2 hours 3600*2 = 7200.
But it's a session cookie, the browser can make it expire by himself, if you want to save longer sessions (like remember login), you need save the data in the server and a standard cookie on the client side.
Navigating away from a site when using cookies will not break the session.
There are two things that can effectively end a session:
The cookie linking it to the browser gets destroyed. PHP typically uses session cookies. These are deleted when the browser is closed. The browser, not the tab. They can also be deleted manually.
When the server hasn't received a request from the browser with the session cookie for the session for a certain amount of time (defined in session.gc_maxlifetime) and it cleans up the session data.

When does a web session start and end?

This is more of a conceptual question. But I was wondering when a web session starts and ends when using PHP. I'm pretty sure the session starts when the user first requests any page that has the session_start() function. But does the session end when the user navigates to another page in the same tab? Is the same session preserved across multiple tabs and windows of the same browser? To preserve a session after the browser closes, do you have to use cookies?
Sessions start with the first session_start()
Sessions end after session.gc_maxlifetime and/or session.cookie_lifetime and/or some more things to do with PHP's session garbage collector.
Cookies are required to use sessions since PHP sets a cookie containing the user's SESSID, and the browser automatically sends it back with each request.
You can delete this cookie, which revokes your access to the session, but your session data still technically exists until the timeouts expire and the garbage collector runs.
Reference

How a cookies will maintain session state?

Cookies allow your applications to store a small amount of textual data (typically,
4-6kB) on a Web client. There are a number of possible uses for cookies, although
their most common one is maintaining session state.Cookies are typically set by the server using a response header, and subsequently made available by the client as a request header.
this is from zce study guide.
My questions are
1. how a session state is maintained by cookie?
2. what happens to these cookies when we use session_destroy()?
Put simply, the session cookie ties a remote session to your browser as you navigate a given site. It contains a string usually along the lines of PHPSESSID=3432DFGDFG43523 which the remote server identifies as a session that it is managing.
From the PHP website:
A visitor accessing your web site is assigned a unique id, the
so-called session id. This is either stored in a cookie on the user
side or is propagated in the URL.
The session support allows you to store data between requests in the
$_SESSION superglobal array. When a visitor accesses your site, PHP
will check automatically (if session.auto_start is set to 1) or on
your request (explicitly through session_start() or implicitly through
session_register()) whether a specific session id has been sent with
the request. If this is the case, the prior saved environment is
recreated.
http://www.php.net/manual/en/intro.session.php
When session_destroy() is called, it doesn't quite behave as you'd expect. The session is destroyed remotely but the local cookie isn't removed. To do this you'd need to call setcookie(<session cookie name>) with a negative date to destroy it on the client side. Again, from the PHP website:
session_destroy() destroys all of the data associated with the current
session. It does not unset any of the global variables associated with
the session, or unset the session cookie. To use the session variables
again, session_start() has to be called.
In order to kill the session altogether, like to log the user out, the
session id must also be unset. If a cookie is used to propagate the
session id (default behavior), then the session cookie must be
deleted. setcookie() may be used for that.
http://www.php.net/manual/en/function.session-destroy.php
Very short:
A session id is created which is sent over to the client on each request, this is stored in a cookie usually called PHPSESSID. The client responds with this session id to tell the server which session it belongs to.
session_destroy only unsets the data, not the identity. So cookies are not touched using that method.

Session cookie versus other kinds of cookies

In Internet Explorer, for example, you can enable first party cookies, third party cookies and allow session cookies.
I know the difference between:
a first party cookie and a third party cookie, and
a PHP session and a cookie.
But what is a session cookie? And how can you set one using PHP?
For example, you cannot log into Facebook without cookies enabled. However, if you allow session cookies, you can log into Facebook.
So, how does a session cookie differ from other kinds of cookies?
A cookie has a lifetime, after which it will expire (As denoted by the Expires directive). If you don't set a timeout, the browser will expire the cookie when you close the browser. This is called a session cookie.
These kind of cookies are often used to track a users current session state on the server side (E.g. php's sessions), but there is not a strong relation between the two uses of the word "session"
A session cookie holds the unique identifier that PHP generates when session_start() is called, so that each client can be associated with a session, and no two sessions can have the same ID at the same time.
The session cookie is usually destroyed when the browser window is closed, or can be done manually using session_destroy().
From Wikipedia:
Older definition: (2011-12-17)
A session cookie is created when no Expires directive is provided when
the cookie is created.
Latest definition:
A session cookie, also known as an in-memory cookie or transient
cookie, exists only in temporary memory while the user navigates the
website.[18] Web browsers normally delete session cookies when the
user closes the browser.[19] Unlike other cookies, session cookies do
not have an expiration date assigned to them, which is how the browser
knows to treat them as session cookies.
In PHP, when you use session_start() it creates a session, this will create a session cookie in the client browser, PHP needs the client to send this info back with each request so that PHP can tell the session ID.

Categories