This question already has answers here:
How do PHP sessions work? (not "how are they used?")
(4 answers)
Closed 6 years ago.
Session is a server side variable it works in server, cookies are working in client side. I login to website the session is started, then i clear my browsing history and reload my webpage its logout and redirected to login page. How it Works?. How sessions automatically destroyed?
The contents of the session are stored at the server. However the session is identified by a session-id, which is stored at the client and sent with each request.
Usually the session-id is stored in a cookie, but it can also be appended to urls. (That's the PHPSESSID query-parameter you some times see)
So when you clear the browser cache, cookies are deleted(Session_ID is also deleted) and hence session variables can't be accessed.
If your server binds session with cookies for authentication purposes or checks saved cookie in each page load. And if in your browser you have set to delete cookies upon clearing browsing history, then yes it can be done, you can get logged out.
One workout is to try clearing browsing history without clearing cookies set by websites.
As commented, the cookie you delete tells the server who you are. Without it, you need to login in again to get a new identifying cookie.
Related
I have many doubts on cookies and session
1) can anyone explain me work flow of cookies and session together(example if I visit any site and then login by my email and password then how cookies and session work together)
2) if cookies is set for 5 minutes and session is set for 10 minutes what will happen
3) how flow will work if cookies is disabled in my computer.
There are many questions which cover your doubts already, I'll link some below. I'll answer your specific questions first:
1) When you visit a website for the first time, actually when you do a session_start() on the PHP side, a new session ID is generated (a random string) and sent to the browser as cookie, usually with the name PHPSESSID, so next time you visit the site the same data is loaded back from the session file (which is stored somewhere on the server)
2) If cookie expires before the session the browser won't send the PHPSESSID value, thus a new session ID is generated. It is usually advisable to use an expire time for cookies way longer. When you expire a cookie, you rely on the client's browser to honor your disposition, but to be safe you must expire the session server side.
3) Sessions won't work, every time the client requests a page a new session cookie will be generated
Some more information:
cookies vs session
Cache VS Session VS cookies?
What is the difference between a Session and a Cookie?
I have a little confusion about PHP session and session cookies.
Let me ask my question by giving an example of www.example.com.
When I login to www.example.com, it starts a session. So I'm logged in as a user on this website.
Now when I clear cookies in my browser, it deletes all the browser cookie.
My question is - Is the session at www.example.com destroyed when I clear the browser cookies even when I haven't clicked on logout button to destroy the session ?
So that explains what I want to ask.
Does clearing browser cookies automatically destroys PHP session even when you haven't done anything on a website that will call the function to destroy the session ??
Why PHP session destroys when clear browser's cookie
After clearing cookies PHP does not destroy session, it just cannot receive session id anymore (which is stored in cookies), so link between session data and current user connection is lost. PHP destroys session later, depending on its' config.
Does clearing browser cookies automatically destroys PHP session even
when you haven't done anything on a website that will call the
function to destroy the session ??
No, it does not. PHP has limits on session lifetime (see php.ini, session.gc_maxlifetime and session.cookie_lifetime), which basically define session lifetime. In addition to official manual, there's also a good explanation of how these settings influence session lifetime.
If you watch carefully, like through web inspector on Chrome/Firefox etc, then you can see that the PHPSESSIONID is set as a cookie. So if you delete all cookies then I imagine you delete this cookie as well and therefore the session doesn't know what ID to use.
It's Mechanisim of Session. You can read more here.
About Session (ussually Server Session). The Server saves all the Session user data on Server and retrives data by Session ID from client (by Cookies).
First time, Client sends a request to Server. The server has not found any Session ID from this request and responses a normal webpage and includes SET-COOKIE: SessionID=xyz
From now, every request from client will include Session ID = xyz (by Cookies).
If you clear Cookies, certainly the Session ID is gone.
I initially thought that php stores a session ID cookie and identifies the user based on this cookie. This cookie expires as soon as the browser is closed.
I was implementing remember me feature, and so I logged in with remember me. Then I closed the browser and opened it again, but it did not login through the cookie I stored, instead, the session variables were still holding the login information. This is seems very strange.
So the question is, how do these session variables still persist even after the browser is closed and opened again?
That is most of the time browser dependent. Some browsers like latest version of IE, no such problem is seen. After closing of browser, all session variables are destroyed. But in Google Chrome it doesn't happen.
Moreover, session variables are URL sensitive. If you created session on URL say http://www.example.com then these session variables are restricted to this specific address only. If you open your page with this URL http://example.com then you will see that there are no session variables this time though the destination is same for both the pages. So keep in mind to redirect your page as according to the URL you used to store session variables. For more related information on session variable problems, visit this link
I can't seem to find a definitive answer on the internet, so I'm asking here.
When one uses session_start(); in a .php script and saves some values, when does the session end? So when would those values not be accessible again?
I've found that refreshing the page or stopping the session code-wise would stop it, and a possible time-out would stop the session as well. But what about navigating away from the site and returning a minute later? And closing the browser?
As for the last one, on mobile, what does 'closing the browser' mean? Closing the tab or even minimalising the site?
If your session values are not linked to any cookie, the session will end when the windows browser will be closed.
If your session variable comes from a cookie, the session will end after time specified in the cookie file.
In PHP, sessions work with a cookie of type session. Server-side, the session information is constantly deleted.
To set the lifetime of a cookie in php, you can use the function session_set_cookie_params, before the session_start:
session_set_cookie_params(3600,"/");
session_start();
For ex, 3600 seconds is a one hour, for 2 hours 3600*2 = 7200.
But it's a session cookie, the browser can make it expire by himself, if you want to save longer sessions (like remember login), you need save the data in the server and a standard cookie on the client side.
Navigating away from a site when using cookies will not break the session.
There are two things that can effectively end a session:
The cookie linking it to the browser gets destroyed. PHP typically uses session cookies. These are deleted when the browser is closed. The browser, not the tab. They can also be deleted manually.
When the server hasn't received a request from the browser with the session cookie for the session for a certain amount of time (defined in session.gc_maxlifetime) and it cleans up the session data.
Are cookies and sessions depend on each other in PHP?
Does deleting or clearing either one of them affect the other?
Does by disabling either one of them in the browser affect the other?
P.S. I am newbie.
Edit: I was newbie at time of writing question. This question is faced by many newbies.
They are totally independent...
Cookies cannot store unlimited value, sessions can
You cannot store data in a cookie if user browser cookie is disabled where in session you can, because session id can append to URL
It is better to store data in sessions than to store in cookies because cookies can be tempered
If you delete cookies, then only those functionalities in your site will be disabled in which you are retrieving these cookies data but you'll be logged in and if you delete session cookie, you'll be logged out.. (1)
Cookies are stored on client machine where session are stored on your server
A session is ended if you close you browser while cookies stay there unless they are manually removed by the user or till they are expired
Inshort you've better control over sessions than on cookies
(1) For example if you are setting a cookie name demo and you are using a splash screen unless and until the demo is set you'll show a splash screen
if(!isset($_COOKIE['demo'])) { //Now this will show lightbox always if user has disabled his cookies
<script>...</script>
}
Articles
http://www.klovera.com/php-sessions-vs-cookies/
Reference
Session
Cookies
Sessions are stored on server, while cookies are on client. You can disable only cookies from your browser. Cookies can't affect session at all. In case of disabled cookies session id is passed via URL. If your cookies are enabled and session id is stored in cookie by deleting cookie you will not be able to access your session (It's still on server but you can't access it)
Also session can't affect cookies.
They are not connected, but by default PHP stores the session id within a cookie, The directive session.use_cookies is defaulted to 1
If cookies are disabled it uses URL. This can be set with session_use_trans_id. (default is disabled)
But if you delete a session cookie on the client, the next request to the server will not be able to find its associated session
Clearing session will not affect the cookies as cookies are attached with the HTTP request from the client to the server. A cookie can be set to expire after x amount of time, after which it is deleted on the client side.
All the answers are correct, just wanted to add this - If you do not set the timestamp for cookie, then the cookie is dependent on session and it will expire as soon as session ends.