I am new to php , I came across cookie and persistent cookie and i understand the difference between them.My question is that how can i make cookie persistent or temporary.I found only one syntax for cookies
<?php
setcookie("user", "Alex Porter", time()+3600);
?>
Thanks
Phisically speaking, there is only one kind of cookie. You can make it persistent by choosing a large enough expiration time. If the expiration time is set to 0, the cookie will last only until your page is opened in the browser.
Your example cookie is persistent, it expires in one hour.
Here is a link with a short explanation.
Most likely you can hardly access the phisical cookie on your hard disk, because borwsers store them in their internal logic. For example Firefox store cookies in a local SQLite database file in the browser's profile folder.
When creating a cookie, 3rd argument (time()+3600 in your example) specifies cookie's expiry date.
time()+3600 means now+3600 seconds, which is 1 hour in the future. Time() function returns current time (unix time) in seconds.
There is no such thing as a really permanent cookie, more like expiring far in the future cookie.
Related
How can I keep the user's session active, even if they accidentally closed their browser. Like in Facebook for example.
If you log in to their site and you close the tab or the browser, when you open a browser again and visits Facebook, they will automatically detect the active user and will not redirect you to the log in page.
How do I do that?
There's two relevant settings that control session's lifetime.
The first is session.cookie-lifetime. This is the lifetime of the cookie, which by default is 0, which means the cookie is destroyed when the browser is closed. You can set a longer lifetime by increasing this variable. It is relative to the server time, so you need to account for differences in the time in your clients' machine and your server's. Assuming they were the same, setting the option to i.e. 3600 would mean the session would expire in an hour. If you want to keep the session alive for a very long time, you increase this number.
However changing this value is not enough. There's also session.gc-maxlifetime, which is the time after which the session data is seen as garbage in the storage and is destroyed. This differs from session.cookie-lifetime because this option checks the last access time of the session data, so it is relative to the time the session data was last used (i.e. when the user was last active). Even if you set your session.cookie-lifetime to a high value, it'll not be enough because session.gc_maxlifetime is relatively low usually (1440 is the default, which is only 24 minutes).
While you can set these settings both to relatively high values and have it working, I would recommend against doing so, as this will leave a lot of unnecessary session data hanging around in your session storage, due to the GC not collecting actual dead session (which also increases the chance of someone hijacking a session in a system that is not properly secured). A better approach is making a remember me cookie. Basically you assign the user's ID and some authentication token that you store in the database for each user (this is to prevent someone spoofing the cookie) in the cookie, and give it a long lifetime. In your application's initialization code you'll check if the user is logged in. If he/she is not logged in, you'll check if the remember me cookie is set. If it is, you pull the user from the database based on the user ID in the cookie, and then validate the authentication token in the db is the same one as in the cookie. If they match, you simply create the session and log the user in automatically.
For anyone that come across this same issue, to keep the session cookie set for a long time is easy, on the login form, when you are creating the session for first time use this code, it will set the cookie time for a year (use your own time as its needed).
ini_set('session.cookie_lifetime', 60 * 60 * 24 * 365);
ini_set('session.gc-maxlifetime', 60 * 60 * 24 * 365);
session_start();
That should set the PHPSESSID cookie and your session will be safe... but is not the most secure way, so use it if you don't mind security issues
By default, PHP keeps a user's session open until their browser is closed. You can override that behaviour by changing the session.cookie-lifetime INI setting:
http://www.php.net/manual/en/session.configuration.php
However please see rekot post for a full answer
You should use cookies: http://php.net/manual/en/function.setcookie.php
Just store there some unique value that will help you identify the user.
Anyway, I strongly recommend you using some kind of framework, like CodeIgniter or Zend Framework, unless you're just learning how it works. It is easy to make critical mistakes in such a code and most frameworks are already well tested and safe to use.
I have heard many times that a session get destroy as our browser close.
Then how I keep logged in after closing and reopening my browser.
Please help
You keep login because your sessions are not destroyed even when the browser is closed. Sessions destroying on the closing of the browser is default behaviour but but this does not mean its the only behaviour. You can extend the expiry time of session.
This behaviour can be changed in the php.ini file by altering the line:
Keeping a session alive indefinitely
session.cookie_lifetime = 0
So just check when you have set the expiry time for the sessions. Although using cookies will be a good option
Note:- Remember to restart your web server after making this change.
You have to use Cookies.
You can use the setcookie() function and read the value with the $_COOKIE['cookiename'] variable.
Use cookies, with a predefined expire time, I like 1 year
You can use cookies. Cookies are data that is stored directly on the HDD so that even if the browser was closed, cookies still can be read if it haven't expired yet.
Here is an example of setting up a cookie.
Paste this code BEFORE the tag.
<?php setcookie("$name", "$value", $time); ?>
Where $name is the cookie name, $value is the cookie value and $time is the time when your cookie will be expired. For example $time = time()+86400; will set your cookie to expire after 1 day. The 86400 value is the number of seconds in a day, 60seconds times 60minutes times 24hours, so 60x60x24 = 86400.
I want to destroy the cookie by the php condition but i have not got anything to do that after the lots of research on the google and php manual . i have read at some place that setcookie('cookie_name'); but it just erase the cookie so my question is that how to destroy cookie by php ?
When deleting a cookie you should assure that the expiration date is in the past, to trigger the removal mechanism in your browser
setcookie ("cookie_name", "", time() - 3600); // set the expiration date to one hour ago
Manual.
There is no way to erase a cookie in PHP perse. What setcookie("cookie_name"); does is it instructs the browser to keep the cookie untill now, meaning that it can clean it up (you normally give it a date sometime in the future).
You can not force a cookie to be deleted.
If you need better control over what data is kept in the current session use server-side session storage. Keep only the session_id in the cookie.
Destroying cookies is upto the browser however you can remove a cookie (which is the same for your app) by setting the date in the past:
setcookie($cookie_name, "", 1);
Most set the time to 1970.
Ha! #MikeBrant makes a good point. Since PHP can't understand if setcookie was done to remove a cookie $_COOKIE is still set after issuing this command so you have to unset it.
How can I keep the user's session active, even if they accidentally closed their browser. Like in Facebook for example.
If you log in to their site and you close the tab or the browser, when you open a browser again and visits Facebook, they will automatically detect the active user and will not redirect you to the log in page.
How do I do that?
There's two relevant settings that control session's lifetime.
The first is session.cookie-lifetime. This is the lifetime of the cookie, which by default is 0, which means the cookie is destroyed when the browser is closed. You can set a longer lifetime by increasing this variable. It is relative to the server time, so you need to account for differences in the time in your clients' machine and your server's. Assuming they were the same, setting the option to i.e. 3600 would mean the session would expire in an hour. If you want to keep the session alive for a very long time, you increase this number.
However changing this value is not enough. There's also session.gc-maxlifetime, which is the time after which the session data is seen as garbage in the storage and is destroyed. This differs from session.cookie-lifetime because this option checks the last access time of the session data, so it is relative to the time the session data was last used (i.e. when the user was last active). Even if you set your session.cookie-lifetime to a high value, it'll not be enough because session.gc_maxlifetime is relatively low usually (1440 is the default, which is only 24 minutes).
While you can set these settings both to relatively high values and have it working, I would recommend against doing so, as this will leave a lot of unnecessary session data hanging around in your session storage, due to the GC not collecting actual dead session (which also increases the chance of someone hijacking a session in a system that is not properly secured). A better approach is making a remember me cookie. Basically you assign the user's ID and some authentication token that you store in the database for each user (this is to prevent someone spoofing the cookie) in the cookie, and give it a long lifetime. In your application's initialization code you'll check if the user is logged in. If he/she is not logged in, you'll check if the remember me cookie is set. If it is, you pull the user from the database based on the user ID in the cookie, and then validate the authentication token in the db is the same one as in the cookie. If they match, you simply create the session and log the user in automatically.
For anyone that come across this same issue, to keep the session cookie set for a long time is easy, on the login form, when you are creating the session for first time use this code, it will set the cookie time for a year (use your own time as its needed).
ini_set('session.cookie_lifetime', 60 * 60 * 24 * 365);
ini_set('session.gc-maxlifetime', 60 * 60 * 24 * 365);
session_start();
That should set the PHPSESSID cookie and your session will be safe... but is not the most secure way, so use it if you don't mind security issues
By default, PHP keeps a user's session open until their browser is closed. You can override that behaviour by changing the session.cookie-lifetime INI setting:
http://www.php.net/manual/en/session.configuration.php
However please see rekot post for a full answer
You should use cookies: http://php.net/manual/en/function.setcookie.php
Just store there some unique value that will help you identify the user.
Anyway, I strongly recommend you using some kind of framework, like CodeIgniter or Zend Framework, unless you're just learning how it works. It is easy to make critical mistakes in such a code and most frameworks are already well tested and safe to use.
A cookie isn't being set on my computer. It works locally but not live. I only want the cookie to exist for 20 minutes. The only reason I can think of that it won't work is because the server is in the states. I am x hours ahead. Thus the cookie set time is already expired. Is this correct?
setcookie($cookiename, $cookie, time() + 1200);
If the server time is 6am and my time is 12pm. Would the cookie be set to expire at 6:20am or 12:20pm?
If it is the former, how do I set the cookie expiry time based on the users local time? If it is the later I will do some more trouble shooting on Monday.
I've had a similar problem in the past, the advice I was always given is to make sure cookies (if set in different time zones) have an expiration of a minimum of 25 hours. This enables anyone anywhere to utilise the cookie. In alot of cases an invalid cookie = no access = a big deal.
Modern computing has made reservations for this, and synchronised time will make sure cookies are always set in the users local time. That said, exceptions are still to be found.
20 minutes is a very short time to enable a cookie, consider increasing it. If the cookie is still not set locally, I would assume your browser has blocked incoming cookies from the server.
The time() function will get the server time, but I believe Cookies use GMT time.
Easiest way to get the GM time from PHP is to use:
<?php
$gmtime = gmdate('U');
?>
So you'd set the cookie like this:
setcookie($cookiename, $cookie, gmdate('U') + 1200);