I have a LAMP server. I have started playing around with php cookies and sessions inside my scripts. Is there any way to check what or how many and what type of session I have active? I am able to check if cookies are being deleted from client side but sessions are server side with only a token in the client side.
Is there a command of some sort that would allow me to view active sessions (amount, time, session info) connected to my server?
Thanks.
By default PHP stores session on disk. Go do your sessions directory and check the active sessions there.
The file name of the session directory is the session token and the data stored in the file is the session data.
Related
I am working on an PHP API application that will work an different domains (and hosted on different servers) that need to share user session. Let's say api.a.com and api.b.com.
Back end side, for me, storing session data using a session id key that can be fetch from multiple domain is the easy part.
My main concern is sending session id to both api.a.com and api.b.com. Native PHP session uses cookies to send session id for each request. Having different top level domain, the cookies will not be sent to all domains (unless I explicitly use Javascript to extract it and send it as a request header).
I thought about storing the session id inside the the Json Web Token data sent to the server, but somehow, it feels wrong.
Any thoughts on this?
Use a memcache server. PHP supports saving sessions in memcache.
With Amazon, I have a load balancer front with Linux instances, each connected to memcache.
Then I have a completely different EB application and domain that accesses the same memcache and pulls real time stats, so it's pretty easy to setup access to the same memcache server or cluster from different applications.
Note there's a difference between "memcache" and "memcached" -- either can be used, but they're different servers!
Use a memcache server. PHP supports saving sessions in memcache or mysql.
then use sessionid by http transport.
`
$sid = $_REQUEST['sid'];// receive sessionid
session_start();
session_id($sid); //reset current sessionid by $sid
var_dump($_SESSION["A_DOMAIN_SESSION"]);
var_dump($_SESSION["B_DOMAIN_SESSION"]);
?>`
I'm using https://github.com/panique/php-login-advanced login script, also there is a NodeJS server which authenticates users by their session cookies. The problem is when the user resets his password, he's still able to authenticate with his old session cookie. My goal is to remove all cookies for a user that reseted his password, so he will not be able to re-authenticate with his old session cookie. Already tried with php script that is searching for all sessions in /var/lib/php5/* and deletes them. All was fine while running that script under 'root', but this is not an option and apache user don't have privileges to read this folder. I'm looking for a better solution than just give read/write privileges to that folder.
Instead of using file-based sessions with PHP, why not use something like redis instead? Then both node and PHP can access the same session easily and removing the session is simple. For this kind of solution see this answer as a guide.
Just reset the session storage path(session.save_path) in your php.in to a directory accessible by apache and restart you apache server
i would like to know that when a session starts on server in PHP what actually happens SEQUENTIALLY on server and client side?
like when a page with some session values is accessed, will create a file on server first or it creates a cookie on client computer? and what if cookie is disabled on client machine?
Please let me know if someone has any comments on this.
Thanks!!
Session can't be disabled on client machine unlike cookies.
Manual on Session, Cookies and Session vs Cookies.
If I'm using PHP to perform a cURL POST to a remote server running code containing session_start(), is it possible to access session variables set on the local machine on the remote?
Unless you've got PHP trans_sid option turned on (BAD idea), POST has nothing to do with session values. That's mediated through a standard cookie.
Cookies are bound by same-domain security settings - they CAN be shared between hosts in the same domain (e.g. foo.example.com and bar.example.com), but an Amazon cookie cannot be shared with Yahoo.
No they do not. Even sending a session cookie, which you can do with cURL POST, will reference a session which exists only on the requesting server.
No.
The session variables are server-specific. They only cross to another server if the session ID were to be set correctly, and if they were using a shared session data-store, such as memcached.
Please tell me how apache server store each logged user's session details.
I have never heard of Apache storing any session details.
Apache is HTTP demon and HTTP is stateless protocol, with no session support.
You're probably talking of some language emulates stateful connection, using cookie or query string to pass a session identifier.
Basically in PHP Sessions, the server will use eithers cookies or URL rewriting.
If cookies are enabled, it will store
the sessionID in a cookie.
If cookies are disabled, it will pass
the sessionID using a parameters
(GET) by appending forms with a
hidden elements and links with the
ID.
PHP stores session data as text files on disk. The browser is then assigned a cookie which identifies which session that belongs to that browser.