I need to share PHP sessions between multiple servers. However, I'm not sure how to maintain the session ID created on one server and how to pass it to the next server.
Essentially, a client can upload a file, but which server the file is sent to depends on which server is not overloaded.
For example, session_start() is called on test.com
An AJAX post is sent to serv1.test.com. When I call session_start() on serv1.test.com, I want it to pull the existing session information that was created by session_start() on test.com. However, that doesn't seem to be the way PHP sessions work?
I installed Memcached and followed this guide here:
https://www.digitalocean.com/community/tutorials/how-to-share-php-sessions-on-multiple-memcached-servers-on-ubuntu-14-04
I have one centralized memcache server that test.com and serv1.test.com are configured to use. However, session_start() creates a unique session on each server instead of reusing the same session. If I send the PHPSESSIONID to each server, then I can load the existing session.
How do I accomplish what I'm trying to do? I could send the PHPSESSIONID as a variable in the AJAX POST, but isn't that a security risk? That is something that could be changed by the user...
How do I get serv1.test.com to continue to use the same session set on test.com? How do I pass that session ID to serv1.test.com securely so I can use session_id("existingsessionid_from_test.com") to open the existing session?
The solution was to set the session.cookie_domain to include subdomains.
session.cookie_domain = ".test.com"
Thanks frz3993
Related
I have problem with session attributes, it is set but lost after another request.
Symfony 2.4.10, PHP 5.4.17, fedora 17
Session store using PDOSessionHandler
I want to share my session between two domain www.mydomain.com and clone.mydomin.com
I have set php_value session.cookie_domain .mydomain.com in virtualhost
I have found my answer, that I was making two ajax request concurrent, first was not able to set session data another and I didn't want to set any session data in second ajax request so I had used session_write_close() in begging of that.
Who creates a session and how does cookie and any role in it?
I was asked this question in a company's interview process and didn't know the answer. I would like to to know which side creates Sessions i.e whether the client side or server side and does cookie has any role in it.
Also how the server understands which session is provided to which client and which user of client if multiple users are logged in?
What’s the difference between a cookie and a session in PHP?
PHP sessions improve upon cookies because they allow web applications to store and retrieve more information than cookies. PHP sessions actually use cookies, but they add more functionality and security.
Sessions store data on the server, not on the browser like cookies
The main difference between a session and a cookie is that session data is stored on the server, whereas cookies store data in the visitor’s browser. Sessions use a session identifier to locate a particular user’s session data. This session identifier is normally stored in the user’s web browser in a cookie, but the sensitive data that needs to be more secure — like the user’s ID, name, etc. — will always stay on the server.
Sessions are more secure than cookies
So, why exactly should we use sessions when cookies work just fine? Well, as we already mentioned, sessions are more secure because the relevant information is stored on the server and not sent back and forth between the client and server. The second reason is that some users either turn off cookies or reject them. In that scenario, sessions, while designed to work with a cookie, can actually work without cookies as a workaround, as you can read about here: Can PHP sessions work without cookies?.
Sessions need extra space, unlike cookies
PHP sessions, unlike cookies which are just stored on the user’s browser, need a temporary directory on the server where PHP can store the session data. For servers running Unix this isn’t a problem at all, because the /tmp directory is meant to be used for things like this. But, if your server is running Windows and a version of PHP earlier than 4.3.6, then the server will need to be configured – here is what to do: Create a new folder on your Windows server – you can call it something like C:\temp. You want to be sure that every user can read and write to this folder. Then, you will need to edit your php.ini file, and set the value of session.save_path to point to the folder which you created on the Windows server (in this case, that folder is under C:\temp). And finally, you will need to restart your web server so that the changes in the php.ini file take effect.
Sessions must use the session_start function
A very important thing to remember when using sessions is that each page that will use a session must begin by calling the session_start() function. The session_start() function tells PHP to either start a brand new session or access an existing one.
How session_start in PHP uses cookies
The first time the session_start() function is used, it will try to send a cookie with a name of PHPSESSID and a value of something that looks like a30f8670baa8e10a44c878df89a2044b – which is the session identifier that contains 32 hexadecimal letters. Because cookies must be sent before any data is sent to the browser, this also means that session_start must be called before any data is sent to the Web browser.
link-1
link-2
link-3
link-4
The server creates the session and sets the cookie, which is stored in the client's browser. The cookie contains a session identifier (a string of characters) that allows the user to access a particular session on the server. This session identifier corresponds to the session on file.
is it possible and how to pass php session variables i have with a php and apache.
I have a main site with log in option for my users that runs from apache server and I want to use nginx as a chat/communication server that automatically gets all session variables i have in apache/php session without to pass php session id (for security reason). Both servers have a same ip and stais on a same domain. Nginx server will be on subdomain. Already have set php session to work on any sub domain but is this is valid also if I use nginx server.
Any example will be helpful.
Thanks in advanced.
Technically, the php sessions are files, which are usually located somewhere in /tmp. So once you've the session cookie, you can just read and unserialize the file's contents — after checking, it goes without saying, that the session is not expired.
If you need a more convenient format, look at php's session options. I'm quite sure you can serialize it as json for more portability, and there are ways to store sessions in SQL or even memcached.
I am experiencing difficulties retrieving a cookie in an environment where the URL is http//somesite.com and the request is sent through a load balancing application and farmed out to various servers. I can set the cookie using setcookie in a PHP script as follows:
setcookie("NameTest", $cookieText, time()+3600, "/");
and a cookie somesite.com is created however when I attempt to read the values back from that cookie on the running system I never find the created cookie. I know there must be a way of doing this but haven’t found anything I can use. Can anyone tell me how to accomplish this function?
This of course works perfectly on a single server without the load balancing routine
Cookies are round-tripped client<->server on every request. If the cookie's not present on subsequent requests, you'll have to figure out why the client isn't sending it. If the load balancer is transparent to the end user, then it shouldn't matter which server is handling the request - the client would've send the cookie regardless. So if it's not being sent, then it's not being set properly in the first place.
Yes you can, because externally the client sees same IP and domain address. But if you need to share SESSION info, you have to use something like memcached or mysql to share session data between nodes.
I would like to know where PHP session data is saved; is it in client browser? or on the server?
When I disable cookies in my browser setting, PHP can't save session data, but in php.ini, I can change the session save path.
Is session data stored on the server or client browser?
The session data that you read and write using $_SESSION is stored on server side, usually in text files in a temporary directory. They can not be accessed from outside.
The thing connecting a session to a client browser is the session ID, which is usually stored in a cookie (see the comments for exceptions to that rule). This ID is, and should be, the only thing about your session that is stored on client side.
If you delete the cookie in the browser, the connection to that session is lost, even if the file on the server continues to exist for some time.
The session.save_path variable influences the location on the server where the session data is stored. If you are not the server's administrator, it is usually not necessary to change it.
It's both! A session saves the actual session information on the server, but gives an identification cookie to the client to know which session belongs to which client. The information in the cookie itself is worthless, but allows the server to identify the client and use the actual session information.
Blockquote "Is session data stored on the server or client browser?"
It makes me think of a valet parking system. The valet (server) keeps your car (session data), but he/she gives you a ticket (session id) to hang onto which proves that the car is yours when you need access to it. If you lose your ticket (by deleting your cache, or closing the browser), your car (session data) is as good as gone since you can't prove it's your car anymore.
Okay, it's just an analogy...and breaks down quickly. E.g. you don't actually own your session information like you do your car. And you don't get to drive it away.
Both, the session in the client(browser) is saved as a cookie. This cookie references a session which also resides on the server.
It is stored on the server side to maintain security; but additional cookies could be also stored on the client side.