I have a little confusion about PHP session and session cookies.
Let me ask my question by giving an example of www.example.com.
When I login to www.example.com, it starts a session. So I'm logged in as a user on this website.
Now when I clear cookies in my browser, it deletes all the browser cookie.
My question is - Is the session at www.example.com destroyed when I clear the browser cookies even when I haven't clicked on logout button to destroy the session ?
So that explains what I want to ask.
Does clearing browser cookies automatically destroys PHP session even when you haven't done anything on a website that will call the function to destroy the session ??
Why PHP session destroys when clear browser's cookie
After clearing cookies PHP does not destroy session, it just cannot receive session id anymore (which is stored in cookies), so link between session data and current user connection is lost. PHP destroys session later, depending on its' config.
Does clearing browser cookies automatically destroys PHP session even
when you haven't done anything on a website that will call the
function to destroy the session ??
No, it does not. PHP has limits on session lifetime (see php.ini, session.gc_maxlifetime and session.cookie_lifetime), which basically define session lifetime. In addition to official manual, there's also a good explanation of how these settings influence session lifetime.
If you watch carefully, like through web inspector on Chrome/Firefox etc, then you can see that the PHPSESSIONID is set as a cookie. So if you delete all cookies then I imagine you delete this cookie as well and therefore the session doesn't know what ID to use.
It's Mechanisim of Session. You can read more here.
About Session (ussually Server Session). The Server saves all the Session user data on Server and retrives data by Session ID from client (by Cookies).
First time, Client sends a request to Server. The server has not found any Session ID from this request and responses a normal webpage and includes SET-COOKIE: SessionID=xyz
From now, every request from client will include Session ID = xyz (by Cookies).
If you clear Cookies, certainly the Session ID is gone.
Related
After logging in a PHP web application and then clear the cookie in inspect element, will the session destroy?? If so,why?
By default php will use a cookie to track a user across page views.
When the page is requested, the session cookie is included, the server matches the session cookie value to a session and then makes the session information available in php when generating a response.
If you delete the cookie in web inspector / console, it can no longer be included with the request and the session will not be matched.
The session still exists on the server until the garbage collection process removes it, but without that cookie, it will never me matched.
Clear cookies in my browser session also destroyed why? I using PHP Scripts.
The basic idea behind SESSION is that, When you create or call session_start() method your server generate a session id and store it on server memory. Also the server create a cookie on your client machine that cookie contains an id that is related to your server side session id. When you call session_destroy() method server delete that id on server side but the client side cookie doesn't. That is why your session id still shown. You can also check by cache and cookie clearing. When you clear cookie your session will destroyed.
Are cookies and sessions depend on each other in PHP?
Does deleting or clearing either one of them affect the other?
Does by disabling either one of them in the browser affect the other?
P.S. I am newbie.
Edit: I was newbie at time of writing question. This question is faced by many newbies.
They are totally independent...
Cookies cannot store unlimited value, sessions can
You cannot store data in a cookie if user browser cookie is disabled where in session you can, because session id can append to URL
It is better to store data in sessions than to store in cookies because cookies can be tempered
If you delete cookies, then only those functionalities in your site will be disabled in which you are retrieving these cookies data but you'll be logged in and if you delete session cookie, you'll be logged out.. (1)
Cookies are stored on client machine where session are stored on your server
A session is ended if you close you browser while cookies stay there unless they are manually removed by the user or till they are expired
Inshort you've better control over sessions than on cookies
(1) For example if you are setting a cookie name demo and you are using a splash screen unless and until the demo is set you'll show a splash screen
if(!isset($_COOKIE['demo'])) { //Now this will show lightbox always if user has disabled his cookies
<script>...</script>
}
Articles
http://www.klovera.com/php-sessions-vs-cookies/
Reference
Session
Cookies
Sessions are stored on server, while cookies are on client. You can disable only cookies from your browser. Cookies can't affect session at all. In case of disabled cookies session id is passed via URL. If your cookies are enabled and session id is stored in cookie by deleting cookie you will not be able to access your session (It's still on server but you can't access it)
Also session can't affect cookies.
They are not connected, but by default PHP stores the session id within a cookie, The directive session.use_cookies is defaulted to 1
If cookies are disabled it uses URL. This can be set with session_use_trans_id. (default is disabled)
But if you delete a session cookie on the client, the next request to the server will not be able to find its associated session
Clearing session will not affect the cookies as cookies are attached with the HTTP request from the client to the server. A cookie can be set to expire after x amount of time, after which it is deleted on the client side.
All the answers are correct, just wanted to add this - If you do not set the timestamp for cookie, then the cookie is dependent on session and it will expire as soon as session ends.
I am confused regarding Session in PHP. My question is when a user closes directly red cross button without logging out whether the session is destroyed or not. If he again opens that page whether he would be asked to login or he would be directed inside the application?
I have googled around, some are saying it will be directed to login and same are saying it will be directed inside the application.
The default session cookie is set to expire when the browser window is closed. The corresponding session on the server will still exist for a while until it is garbage collected. If the user could resurrect/keep the cookie, he could continue to use the session. But again, the browser will discard the cookie when it's closed. You can modify the session cookie settings with an explicit expiration time, which means it will persist until then, giving your user a permanently logged-in status.
Here are all the session and session-cookie related settings you can tweak with ini_set: http://php.net/manual/en/session.configuration.php
PHP sessions should automatically expire when the browser window closes providing you do not modify the Session Cookies expiration time.
moreover whatever scene you described can be done by Cookie
if you set cookie (persistent) for a limited time period then it will not ask for the login untill that and save your login credentials.
redirecting on the last page can be done by your logic not by browser.
check that session.cookie_lifetime in php.ini if it is 0 means whenever we close the browser. it will destroy the session
more info
In Internet Explorer, for example, you can enable first party cookies, third party cookies and allow session cookies.
I know the difference between:
a first party cookie and a third party cookie, and
a PHP session and a cookie.
But what is a session cookie? And how can you set one using PHP?
For example, you cannot log into Facebook without cookies enabled. However, if you allow session cookies, you can log into Facebook.
So, how does a session cookie differ from other kinds of cookies?
A cookie has a lifetime, after which it will expire (As denoted by the Expires directive). If you don't set a timeout, the browser will expire the cookie when you close the browser. This is called a session cookie.
These kind of cookies are often used to track a users current session state on the server side (E.g. php's sessions), but there is not a strong relation between the two uses of the word "session"
A session cookie holds the unique identifier that PHP generates when session_start() is called, so that each client can be associated with a session, and no two sessions can have the same ID at the same time.
The session cookie is usually destroyed when the browser window is closed, or can be done manually using session_destroy().
From Wikipedia:
Older definition: (2011-12-17)
A session cookie is created when no Expires directive is provided when
the cookie is created.
Latest definition:
A session cookie, also known as an in-memory cookie or transient
cookie, exists only in temporary memory while the user navigates the
website.[18] Web browsers normally delete session cookies when the
user closes the browser.[19] Unlike other cookies, session cookies do
not have an expiration date assigned to them, which is how the browser
knows to treat them as session cookies.
In PHP, when you use session_start() it creates a session, this will create a session cookie in the client browser, PHP needs the client to send this info back with each request so that PHP can tell the session ID.