I can't seem to find a definitive answer on the internet, so I'm asking here.
When one uses session_start(); in a .php script and saves some values, when does the session end? So when would those values not be accessible again?
I've found that refreshing the page or stopping the session code-wise would stop it, and a possible time-out would stop the session as well. But what about navigating away from the site and returning a minute later? And closing the browser?
As for the last one, on mobile, what does 'closing the browser' mean? Closing the tab or even minimalising the site?
If your session values are not linked to any cookie, the session will end when the windows browser will be closed.
If your session variable comes from a cookie, the session will end after time specified in the cookie file.
In PHP, sessions work with a cookie of type session. Server-side, the session information is constantly deleted.
To set the lifetime of a cookie in php, you can use the function session_set_cookie_params, before the session_start:
session_set_cookie_params(3600,"/");
session_start();
For ex, 3600 seconds is a one hour, for 2 hours 3600*2 = 7200.
But it's a session cookie, the browser can make it expire by himself, if you want to save longer sessions (like remember login), you need save the data in the server and a standard cookie on the client side.
Navigating away from a site when using cookies will not break the session.
There are two things that can effectively end a session:
The cookie linking it to the browser gets destroyed. PHP typically uses session cookies. These are deleted when the browser is closed. The browser, not the tab. They can also be deleted manually.
When the server hasn't received a request from the browser with the session cookie for the session for a certain amount of time (defined in session.gc_maxlifetime) and it cleans up the session data.
Related
I'm using Zend with a session expiration set to 1,800 seconds. I was wondering if this session expiration time refreshes back to 1,800 seconds every time I make a request from the browser to the server on behalf of the user and also when the user loads a new page, or does it just refresh when the user loads a new page?
When a user loads a new page, that is the browser making a request to the server on behalf of the user. So the two scenarios you painted above are the same thing.
When a session is started, the session ID is sent to the browser which usually stores it in a cookie. The browser then uses the cookie to pass the session ID to the server with each request to identify the user. The server keeps track of when the session expires and this area can get a little tricky (read How do I expire a PHP session after 30 minutes?)
But as long as you are using the same browser to make the requests, then the session expiration will refresh in the two scenarios you've given.
The cookie that holds the session id (and all other cookies originating from the target server) travels alongside every request you make to the server, be it a page refresh or an ajax call.
So yes, the session refreshes upon any interaction with the server.
Basically it depends upon many things. Largely upon the browser and the version of the browser. You can read this post : How do I expire a PHP session after 30 minutes?
When you do session_start() if it is is the first call, the server saves session information in a file in /tmp folder, and send to your browser a cookie with this file identifier, else the server get cookie identifier and loads the file information. The duration of this cookie by default in php configuration is 30 minutes.
You can increase the time of this cookie in php.ini or manually setting directive with ini_set function or in .htacces file. You only setting the directive session.cookie_lifetime. The values are number of seconds or if set to the cookie are valid until you are close the browser
Another posible solution is make a token system for users, for example you manually sends a cookie to the browser that expires after 2 months width a token (large randomly key, saved in a database table with a user id field). When the session isn't available you check if the cookie exists and you can recreate session login finding a user manually with the cookie token.
I have many doubts on cookies and session
1) can anyone explain me work flow of cookies and session together(example if I visit any site and then login by my email and password then how cookies and session work together)
2) if cookies is set for 5 minutes and session is set for 10 minutes what will happen
3) how flow will work if cookies is disabled in my computer.
There are many questions which cover your doubts already, I'll link some below. I'll answer your specific questions first:
1) When you visit a website for the first time, actually when you do a session_start() on the PHP side, a new session ID is generated (a random string) and sent to the browser as cookie, usually with the name PHPSESSID, so next time you visit the site the same data is loaded back from the session file (which is stored somewhere on the server)
2) If cookie expires before the session the browser won't send the PHPSESSID value, thus a new session ID is generated. It is usually advisable to use an expire time for cookies way longer. When you expire a cookie, you rely on the client's browser to honor your disposition, but to be safe you must expire the session server side.
3) Sessions won't work, every time the client requests a page a new session cookie will be generated
Some more information:
cookies vs session
Cache VS Session VS cookies?
What is the difference between a Session and a Cookie?
Are sessions only kept alive each time you access a page with session_start(); or do other pages keep it alive too?
Example (with 30 minute timeout):
1
user accesses page with session_start();
25 mins later they access another session_start();
page session stays alive
2
user accesses page with session_start();
25 mins later they access a non-session_start(); page
session stays alive
Is 2 also true ?
There is always a session cookie set in your browser whenever you access a page which has session_start(). The cookie name will PHPSESSID if the website is using PHP(although the name can be changed). This session cookie contains a session id which helps the browser to maintain that session with the server.
You can check manually by browsing any website which has your session and then delete your browser cookies, your session will be lost.
In your case both 1 & 2 are correct.
2 is correct because the user already has accessed a page which has session_start() and your session id will be set for the next 30 mins and it will be present even if you accesse a page which does not have a session.
NOTE: But the page which you will be visiting if contains session_destroy(), your session will be destroyed.
Calling session_start() merely gives your code access to the session.
What keeps the session alive is your browser sending the session id (stored in a cookie) to the server, whether you use it or not.
Answer: They are both true.
Here's the relevant part from the documentation
When a visitor accesses your site, PHP will check automatically (if session.auto_start is set to 1) or on your request (explicitly through session_start()) whether a specific session id has been sent with the request. If this is the case, the prior saved environment is recreated.
http://www.php.net/manual/en/intro.session.php
session_start() creates a session or resumes the current one based on a session identifier passed via a GET or POST request, or passed via a cookie.
http://www.php.net/manual/en/function.session-start.php
This means if you don't call session_start, the session will not be resumed and the expiration is not extended.
The session_start() is internal mechanism for php to access session and also to send session cookie to client browser.
Case 1 is true: because user accessed a page with session_start() and then another similar page.
Case 2 is only true if the session timeout is greater than 25 minutes between two visits.
In Case 2, the server will not send any session cookie, its a browser that includes cookie in the request header.
In the instant case the PHP session life of 30 minutes is kind of a "trick question" factor. The default and almost universal session life is 1440 seconds, or 24 minutes. So for most folks, the session data could have disappeared before the 25 minute mark.
This article tells some of the detail behind how PHP sessions work.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_11909-PHP-Sessions-Simpler-Than-You-May-Think.html
It doesnt have to do anything with the web pages, session interact with your browser by session id.
The session IDs generated by PHP are unique, random, and almost impossible to guess, making it very
hard for an attacker to access or change the session data. Furthermore, because the session data is stored
on the server, it doesn ’ t have to be sent with each browser request.
To start a PHP session in your script, you simply call the session_
start() function. If this is a new session, this function generates a unique SID for the session and sends it to the browser as a cookie called PHPSESSID (by default).
However, if the browser has sent a PHPSESSID
cookie to the server because a session already exists, session_start() uses this existing session:
session_start();
If you want sessions' on all of your pages, session_start() should be called on all of your pages.
Hence, 1 is CORRECT and 2 is CORRECT
This is more of a conceptual question. But I was wondering when a web session starts and ends when using PHP. I'm pretty sure the session starts when the user first requests any page that has the session_start() function. But does the session end when the user navigates to another page in the same tab? Is the same session preserved across multiple tabs and windows of the same browser? To preserve a session after the browser closes, do you have to use cookies?
Sessions start with the first session_start()
Sessions end after session.gc_maxlifetime and/or session.cookie_lifetime and/or some more things to do with PHP's session garbage collector.
Cookies are required to use sessions since PHP sets a cookie containing the user's SESSID, and the browser automatically sends it back with each request.
You can delete this cookie, which revokes your access to the session, but your session data still technically exists until the timeouts expire and the garbage collector runs.
Reference
I'm using a PHP session for a website to display a disclaimer page when the user first logs on to the site. After the user's browsing session, or when they close their browser, the session should be destroyed automatically. It is working properly in all browsers except for Chrome. After some research, I found this which led to this. If it is indeed a bug with Chrome, how can I work around it?
Session cookies are suppose to be deleted if browser being closed and they are sent without expire time.
You can define session_cache_expire before start session first time:
session_cache_expire(60); // expires after 60 mins
And then do session_start();...
Instead of relying on the browser to cancel the cookie, set it to expire fairly quickly, and keep the session "alive" by renewing the cookie on subsequent page requests.
<?php
session_set_cookie( 60*15 );
session_start();
This example sets the cookie to expire after 15 minutes (you might set a different expiry, depending on how often you expect your users to send page requests: or, you could set it for only a minute or two, and get a fresh cookie via XHR just a little more frequently than that). This won't make Chrome delete the cookie, but you at least know it won't be floating around indefinitely.