I'm a bit confused with this,
Say the session has been started with default php ini settings where gc_maxlifetime is 1440 seconds. And i supposed to use remember me functionality with this, to which i set cookie lifetime as 14 days. As long as the session max life time set to 24 minutes which is obviously lesser than cookie life time (14 days), after 10 days (for example) the session likely (of course depends on gc probability) to be expired and would have no reference to the session id the remember me cookie has.
So how would setting a remember me cookie lifetime longer than the session lifetime remember/resume the session? or do i need to change the session max lifetime according to the cookie lifetime?
Generally a "remember me" cookie is a persistent cookie, not a session cookie. It contains some encrypted information which allows an automatic login action to occur. i.e. When there is no active session already, but the "remember me" cookie is present, then a new session will be started.
The session GC function will delete session data (which is by default kept in plain text files), while the cookie settings will delete the cookie that keeps the session id.
In order for a session to be active, its data file, and a cookie with its ID must exist (AFAIK).
Related
On accessing session data on the server side, its modified_time gets set, therefore extending its expiration time into the future.
However, this does not happen for PHPSESSID cookie. While session data expiration on the server side is extended, the cookie expiration is not. If the cookie expires, the user will lose his session - he will have no session ID to give when sending a request.
Is there any way to tell Symfony\Component\HttpFoundation\Session\Session to extend the cookie expiration date?
Can this be done for the same session ID? Or will we have to regenerate it (seems inefficient to do for many users X many requests)?
Should I set it myself manually (disregarding the OOP principles)
I've found $request->getSession()->getMetadataBag()
and tried setting stampNew(), but this does not seem to interact with the PHPSESSID cookie.
You can change in the config.yml files under the session key, as example:
# session configuration
session:
cookie_lifetime: 3600
From the doc:
cookie_lifetime
type: integer default: null
This determines the lifetime of the session - in seconds. The default
value - null - means that the session.cookie_lifetime value from
php.ini will be used. Setting this value to 0 means the cookie is
valid for the length of the browser session.
More info in the doc here
I have many doubts on cookies and session
1) can anyone explain me work flow of cookies and session together(example if I visit any site and then login by my email and password then how cookies and session work together)
2) if cookies is set for 5 minutes and session is set for 10 minutes what will happen
3) how flow will work if cookies is disabled in my computer.
There are many questions which cover your doubts already, I'll link some below. I'll answer your specific questions first:
1) When you visit a website for the first time, actually when you do a session_start() on the PHP side, a new session ID is generated (a random string) and sent to the browser as cookie, usually with the name PHPSESSID, so next time you visit the site the same data is loaded back from the session file (which is stored somewhere on the server)
2) If cookie expires before the session the browser won't send the PHPSESSID value, thus a new session ID is generated. It is usually advisable to use an expire time for cookies way longer. When you expire a cookie, you rely on the client's browser to honor your disposition, but to be safe you must expire the session server side.
3) Sessions won't work, every time the client requests a page a new session cookie will be generated
Some more information:
cookies vs session
Cache VS Session VS cookies?
What is the difference between a Session and a Cookie?
I understand the normal application of a persistent cookie vs a session cookie. But if you can specify the expiration time of a session cookie to behave like a persistent cookie and vice-versa. Is there any benefit to using session cookies besides them being obfuscated from the user and the session is stored on the server?
session_set_cookie_params() function allows you to set a specific expiration time for a session. You can set the time in a persistent cookie in the setcookie() function.
I already pulled up the threads
Cookie VS Session and Session cookies and persistent cookies, and didn't find my answer.
But if you can specify the expiration time of a session cookie to
behave like a persistent cookie and vice-versa.
Not true, the difference between a session cookie and a persistent cookie is whether or not the an expires value is given. A session cookie can't have an expiration time by definition.
Is there any benefit to using session cookies besides them being
obfuscated from the user and the session is stored on the server?
A session ID for something like PHP sessions can be stored in either a session cookie or a persistent cookie, and session cookies can contain other information besides session IDs. They both use the word "session" but are separate things.
A session cookie is the right choice if you want the cookie to disappear when the user closes their browser. A good example is online banking - the cookie that authenticates you should be destroyed when you close the browser so someone can't sneak onto your computer, reopen the browser, and start making transfers. Ever had your facebook status or something like that changed as a prank?
When my users login, I want to set the amount of time before the session expires.
I've accomplished this by setting the lifetime in session_set_cookie_params.
When I look at the cookie's expiration date it says:
Saturday, December 8, 3296 at 11:45:08 AM
But when I come back after an hour the cookie is there but my site won't recognize it. Why won't my site recognize or use the cookie?
Cookie contains only session identifier. The data itself is stored on server side. PHP periodically deletes expired sessions. When you're returning after one hour, session data is already lost and session ID from your cookie can't match to anything.
Chck out session.gc_maxlifetime (http://php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime) for more info.
I have a web application that pings a database every minute or so to check for new entries. The page is designed to not really have any interaction with... You just keep it open and it displays things. The page is password protected, and the site can be up for a coupe days without anyone clicking in the web browser or anything. I've found after it's up for like a day or so it stops checking the database (through an Ajax request) and then if you refresh the page manually it brings you to the login page again. I'm assuming that's because the session which has the login information expires. I never set an expiration time, but does PHP automatically destroy the sessions after a certain amount of time? What do I do to fix this?
Thanks
Thanks for all the replies... Is there a way to set the session to never expire with out just changing the PHP settings themselves?
The default value of session.gc_maxlifetime is 1440 seconds. So the garbage collector assumes a session to be expired when the last modification was at least 1440 seconds ago.
Note that when using a cookie for the session ID it might have a different lifetime. The default value 0 of session.cookie_lifetime makes the cookie a session cookie, that means it expires when the browser session is ended (i.e. the browser is closed).
See also my answer on How do I expire a PHP session after 30 minutes? for further information on session expiration.
From php.ini:
; Lifetime in seconds of cookie or, if
0, until browser is restarted. ;
http://php.net/session.cookie-lifetime
session.cookie_lifetime = 0
That would be the default if I'm not mistaken. Either set it to zero (if it's not already set) or just use another cookie.