I have 4 SESSION variables for keeping a user active
$_SESSION['login']
$_SESSION['m_ID']
$_SESSION['l_cd']
$_SESSION['loginAs']
When I visit to another profile from my profile I automatically log out, because $_SESSION['m_ID'] changes to profile of the id I visit. I only change $_SESSION['m_ID'] when logging in. There are three type of login.
normal user
admin
cookie(if u put remember me, after u close the
browser and reopen it automatically set session from cookies )
I searched the entire site for $_SESSION['m_ID'] = and '$_SESSION["m_ID"]=' but I only found these three. On my local site it works fine. Is there anyway to fine where the session is change ?
PHP store in your browser a cookie with the reference of the phisically serialized file of the session data.
When you call session_destroy() or similar this cookie expire. After logout, when you call session_start() a new cookie is created with the reference of another file.
You need to unset all variables because you don't refresh the session, the cookie is the same all time. I recomend to you to use sesion_destroy() to logout.
Related
I initially thought that php stores a session ID cookie and identifies the user based on this cookie. This cookie expires as soon as the browser is closed.
I was implementing remember me feature, and so I logged in with remember me. Then I closed the browser and opened it again, but it did not login through the cookie I stored, instead, the session variables were still holding the login information. This is seems very strange.
So the question is, how do these session variables still persist even after the browser is closed and opened again?
That is most of the time browser dependent. Some browsers like latest version of IE, no such problem is seen. After closing of browser, all session variables are destroyed. But in Google Chrome it doesn't happen.
Moreover, session variables are URL sensitive. If you created session on URL say http://www.example.com then these session variables are restricted to this specific address only. If you open your page with this URL http://example.com then you will see that there are no session variables this time though the destination is same for both the pages. So keep in mind to redirect your page as according to the URL you used to store session variables. For more related information on session variable problems, visit this link
I have a log in page which opens a profile page.Now when a user logs in the session is set.But i have not provided log out facility yet.So I can very well open the log in page and log in as a different user , without the sessions and cookies being destroyed.My question is when i log in the second time , which session does the browser use the previous one or the one which has been recently created.The profile page checks whether session is set or not.Can we have two sessions simultaneously for the same website.
Yup i agree with you SAM.
usually session user set for one user in one browser, and it will be automatic destroy by second user when login in same browser. I think it will be more configuration if you want two session with same value. for example facebook and twitter used one session simultaneously.
may be if you don't want destroy first session when second user login you can make function to check session is used or not.
Yes you can have two or more sessions you have to create with different names.
$_SESSION['user1']="some value";
$_SESSION['user2']="some value";
but if you are making only one session the new value will overwrite the previous one.
But it doesn't make sense why you want to login with 2 users simultaneously. You should provide more information.
I am trying to login an user for 2 weeks if user login with remember me check then i have set some variables in session and cookie set for 2 weeks. It is set correctly i have printed it and got the value session_cookie_lifetime = 1209600 and session_gc_maxlifetime = 1209600. I also print session and got correct value in $_SESSION.
After login in my site when i shut down my computer and reopen my site it seems that it is working (it is keeping me as login user). But when i shut down my computer and next day when i open my browser it is not working and it is showing that i am not login on my site. I have printed $_COOKIE and $_session . It shows that in cookie there is :
[PHPSESSID] => svikos35bgclmebk2cqraiddt2
But session is empty.
I got this form modx stuff:
MODx automatically starts and ends sessions with each request made to the site. You can simply save values into the $_SESSION array and they will be saved in between requests so you can use them on subsequent pages (so long as you have the same user session). Not really any magic to it other than don’t call the session functions yourself to start, end, or otherwise manipulate the session configuration—that can all be done via settings in MODx.
I am using modx revo. It is a bit descriptive question. let me know you need something else.
Anything that may help me (blog link,any settings, any suggestion ) will be highly appreciated.
Thanks in advance
This only happens after a day?
Could tmpwatch be deleting session files from the server?
session_cookie_lifetime and session_gc_maxlifetime doesn't garantee you, that session will be saved for a week. GC kill unused sessions. Check PHP documentation about this parameters and you see, that you can't be sure, that your session will be on the server and you don't be sure, that your sesssion will be destroed after this time. GC is async.
You need to recreate $_SESSION after login (and autologin) if it doesn't exists.
Check this article (in russian, try google translate:
PHP GC: unexpected behavior
The basic idea behind SESSION is that, When you create or call session_start() method your server generate a session id and store it on server memory. Also the server create a cookie on your client machine that cookie contains an id that is related to your server side session id. When you call session_destroy() method server delete that id on server side but the client side cookie doesn't. That is why your session id still shown. You can also check by cache and cookie clearing. When you clear cookie your session will destroyed.
I have an application where the login and logout works correctly. Once the user logs out, and tries to access a page he needs authentication for, he is redirected to the login screen.
Where my problem lies is. If while I am logged in, if I copy the cookie values and save them on a file. After logout, I alter the cookie and add the same values, I get logged back in into the application as the same user.
On logout I have written a function that loops over all the cookies and deletes them.
My understanding is that cookies are both on the client and also on the server side. So if the cookies are getting deleted, they are getting deleted on both the sides and that the server would not recognize them after they have been cleared, even if the browser sends them back again(apparently that is not the case, i think).
The reason why I am doing this is because this is one of the points raised by our security auditor, and I need to get a way to fix this hole. (At this point doing https is not feasible)
I'd be happy if someone can give me pointers on how I can clear out the cookies on the server side as well, so, when the next time someone hits the server with the same cookie, it does not accept it as a valid cookie.
Edit:
I am using codeigniter sessions and tank_auth as the authentication library. At logout, the library itself calls
$this->ci->session->sess_destroy();
to be extra sure, I tried the following after a few attempts :
session_start();
session_unset();
session_destroy();
session_write_close();
setcookie(session_name(),'',0,'/');
session_regenerate_id(true);
My regular logout works, and if I try to access the page directly it does not open.
But if while I am logged in, I take my cookie, save it somewhere -- log-out successfully and replace the cookie with my older one, I get right back into the session.
Is there a way to stop this behavior -- Where the server side will not entertain a session after it has been destroyed. I also made sure that my server and php are on the same timezone (setting it with date_default_timezone_set).
Cookies are not stored on the server at all. Those are stored in the browser and then sent to the server in the request headers. You can easily find software and plugins for browsers that allow you to create/edit/delete cookies. For that reason you should never store sensitive information in cookies. Essentially what you want to do is store the user data in a session and then store the session name in a cookie. Usually this is done automatically in php when you use the function session_start().
If you are using Codeigniter, the php session functions are wrapped in a CI session library that is auto loaded on each page load. So instead of storing data in $_COOKIE you will want to get/set your data via the userdata method in the session library:
//in your controller
//save session data
$userdata = array(
"isLoggedIn"=>true,
"username"=>$_POST['username']
);
$this->session->set_userdata($userdata);
//get session data later
$isLoggedIn = $this->session->userdata("isLoggedIn");
if(!$isLoggedIn){
//if the user is not logged in, destroy the session and send to the login screen
$this->session->sess_destroy();
redirect("/");
}
Note that the code above is not tested and is only supposed to give you an idea on where to go. If the session methods aren't working for you, you may need to load the library in manually:
//in the __construct method of your controller:
$this->load->library("session");
You can find more information here:
http://ellislab.com/codeigniter/user-guide/libraries/sessions.html
and here:
http://www.php.net/manual/en/book.session.php
Thanks for you answers guys.
This is what I figured, later. I am not sure what was causing this but the sessions were not getting invalidated after trying everything. I moved the sessions on codeigniter to the database. Then the logouts started working correctly, where after logout if the 'stolen'/'saved' cookie was put in the browser again it would Not log the user back in.
So, thats what solved it.
How and where can I use
$this->Session->destroy()
For the session to be destroyed whenever the page is closed?
And how can I keep the session open until the page is closed, independent of time?
I need this because when the User enters the page, some specific variables are unset in the session, and when he comes out, I need this session to be destroyed.
I'm not able to do this using cakephp.
Sessions are stored on the server, so if the browser is closed or the user goes to a different page, there is no obligation that it informs the server about this action.
Session are stored for a certain time in the server, and after some time of inactivity or if you properly logout, it will be destroyed there automatically.
Check Sessions info in CakePHP cookbook for more info regardin Sessions
You can try to use $(window).unload(function(){alert('Closing browser')});
And do ajax call to server to destroy session , but this may not work on some browsers and already deprecated function in jQuery 1.8 for more info
http://api.jquery.com/unload/
if you have used Auth cakephp 3.0 components then no need to do anything all session and cookie management carried by session core components.
$this->Session->destroy()
it will destroy all cookie and session data but if you want to destroy particular session then you can do by this code
$this->Session->destroy('$val');
here,$val represents particular session to destroy