How and where can I use
$this->Session->destroy()
For the session to be destroyed whenever the page is closed?
And how can I keep the session open until the page is closed, independent of time?
I need this because when the User enters the page, some specific variables are unset in the session, and when he comes out, I need this session to be destroyed.
I'm not able to do this using cakephp.
Sessions are stored on the server, so if the browser is closed or the user goes to a different page, there is no obligation that it informs the server about this action.
Session are stored for a certain time in the server, and after some time of inactivity or if you properly logout, it will be destroyed there automatically.
Check Sessions info in CakePHP cookbook for more info regardin Sessions
You can try to use $(window).unload(function(){alert('Closing browser')});
And do ajax call to server to destroy session , but this may not work on some browsers and already deprecated function in jQuery 1.8 for more info
http://api.jquery.com/unload/
if you have used Auth cakephp 3.0 components then no need to do anything all session and cookie management carried by session core components.
$this->Session->destroy()
it will destroy all cookie and session data but if you want to destroy particular session then you can do by this code
$this->Session->destroy('$val');
here,$val represents particular session to destroy
Related
I have a really limited WordPress knowledge but need to perform a following task - I have to destroy WordPress PHP session based on PHPSESSID value.
I need to handle direct call from another server(CAS server Single Logout (SLO) request) that will POST to my some WP url PHPSESSID value. Based on this PHPSESSID value I need to destroy some user session. Browser is not involved here
Please show me an example how it can be achieved.
Vanilla Wordpress does not use PHP sessions. Other than authentication cookies, there no other persistent data it needs.
In order to destroy an artbitrary session by its ID you can:
$your_arbitrary_session_id = 'blah-123456789'
session_id($your_arbitrary_session_id);
session_start();
session_destroy();
I have a little confusion about PHP session and session cookies.
Let me ask my question by giving an example of www.example.com.
When I login to www.example.com, it starts a session. So I'm logged in as a user on this website.
Now when I clear cookies in my browser, it deletes all the browser cookie.
My question is - Is the session at www.example.com destroyed when I clear the browser cookies even when I haven't clicked on logout button to destroy the session ?
So that explains what I want to ask.
Does clearing browser cookies automatically destroys PHP session even when you haven't done anything on a website that will call the function to destroy the session ??
Why PHP session destroys when clear browser's cookie
After clearing cookies PHP does not destroy session, it just cannot receive session id anymore (which is stored in cookies), so link between session data and current user connection is lost. PHP destroys session later, depending on its' config.
Does clearing browser cookies automatically destroys PHP session even
when you haven't done anything on a website that will call the
function to destroy the session ??
No, it does not. PHP has limits on session lifetime (see php.ini, session.gc_maxlifetime and session.cookie_lifetime), which basically define session lifetime. In addition to official manual, there's also a good explanation of how these settings influence session lifetime.
If you watch carefully, like through web inspector on Chrome/Firefox etc, then you can see that the PHPSESSIONID is set as a cookie. So if you delete all cookies then I imagine you delete this cookie as well and therefore the session doesn't know what ID to use.
It's Mechanisim of Session. You can read more here.
About Session (ussually Server Session). The Server saves all the Session user data on Server and retrives data by Session ID from client (by Cookies).
First time, Client sends a request to Server. The server has not found any Session ID from this request and responses a normal webpage and includes SET-COOKIE: SessionID=xyz
From now, every request from client will include Session ID = xyz (by Cookies).
If you clear Cookies, certainly the Session ID is gone.
I have 4 SESSION variables for keeping a user active
$_SESSION['login']
$_SESSION['m_ID']
$_SESSION['l_cd']
$_SESSION['loginAs']
When I visit to another profile from my profile I automatically log out, because $_SESSION['m_ID'] changes to profile of the id I visit. I only change $_SESSION['m_ID'] when logging in. There are three type of login.
normal user
admin
cookie(if u put remember me, after u close the
browser and reopen it automatically set session from cookies )
I searched the entire site for $_SESSION['m_ID'] = and '$_SESSION["m_ID"]=' but I only found these three. On my local site it works fine. Is there anyway to fine where the session is change ?
PHP store in your browser a cookie with the reference of the phisically serialized file of the session data.
When you call session_destroy() or similar this cookie expire. After logout, when you call session_start() a new cookie is created with the reference of another file.
You need to unset all variables because you don't refresh the session, the cookie is the same all time. I recomend to you to use sesion_destroy() to logout.
I am trying to login an user for 2 weeks if user login with remember me check then i have set some variables in session and cookie set for 2 weeks. It is set correctly i have printed it and got the value session_cookie_lifetime = 1209600 and session_gc_maxlifetime = 1209600. I also print session and got correct value in $_SESSION.
After login in my site when i shut down my computer and reopen my site it seems that it is working (it is keeping me as login user). But when i shut down my computer and next day when i open my browser it is not working and it is showing that i am not login on my site. I have printed $_COOKIE and $_session . It shows that in cookie there is :
[PHPSESSID] => svikos35bgclmebk2cqraiddt2
But session is empty.
I got this form modx stuff:
MODx automatically starts and ends sessions with each request made to the site. You can simply save values into the $_SESSION array and they will be saved in between requests so you can use them on subsequent pages (so long as you have the same user session). Not really any magic to it other than don’t call the session functions yourself to start, end, or otherwise manipulate the session configuration—that can all be done via settings in MODx.
I am using modx revo. It is a bit descriptive question. let me know you need something else.
Anything that may help me (blog link,any settings, any suggestion ) will be highly appreciated.
Thanks in advance
This only happens after a day?
Could tmpwatch be deleting session files from the server?
session_cookie_lifetime and session_gc_maxlifetime doesn't garantee you, that session will be saved for a week. GC kill unused sessions. Check PHP documentation about this parameters and you see, that you can't be sure, that your session will be on the server and you don't be sure, that your sesssion will be destroed after this time. GC is async.
You need to recreate $_SESSION after login (and autologin) if it doesn't exists.
Check this article (in russian, try google translate:
PHP GC: unexpected behavior
The basic idea behind SESSION is that, When you create or call session_start() method your server generate a session id and store it on server memory. Also the server create a cookie on your client machine that cookie contains an id that is related to your server side session id. When you call session_destroy() method server delete that id on server side but the client side cookie doesn't. That is why your session id still shown. You can also check by cache and cookie clearing. When you clear cookie your session will destroyed.
I have an application where the login and logout works correctly. Once the user logs out, and tries to access a page he needs authentication for, he is redirected to the login screen.
Where my problem lies is. If while I am logged in, if I copy the cookie values and save them on a file. After logout, I alter the cookie and add the same values, I get logged back in into the application as the same user.
On logout I have written a function that loops over all the cookies and deletes them.
My understanding is that cookies are both on the client and also on the server side. So if the cookies are getting deleted, they are getting deleted on both the sides and that the server would not recognize them after they have been cleared, even if the browser sends them back again(apparently that is not the case, i think).
The reason why I am doing this is because this is one of the points raised by our security auditor, and I need to get a way to fix this hole. (At this point doing https is not feasible)
I'd be happy if someone can give me pointers on how I can clear out the cookies on the server side as well, so, when the next time someone hits the server with the same cookie, it does not accept it as a valid cookie.
Edit:
I am using codeigniter sessions and tank_auth as the authentication library. At logout, the library itself calls
$this->ci->session->sess_destroy();
to be extra sure, I tried the following after a few attempts :
session_start();
session_unset();
session_destroy();
session_write_close();
setcookie(session_name(),'',0,'/');
session_regenerate_id(true);
My regular logout works, and if I try to access the page directly it does not open.
But if while I am logged in, I take my cookie, save it somewhere -- log-out successfully and replace the cookie with my older one, I get right back into the session.
Is there a way to stop this behavior -- Where the server side will not entertain a session after it has been destroyed. I also made sure that my server and php are on the same timezone (setting it with date_default_timezone_set).
Cookies are not stored on the server at all. Those are stored in the browser and then sent to the server in the request headers. You can easily find software and plugins for browsers that allow you to create/edit/delete cookies. For that reason you should never store sensitive information in cookies. Essentially what you want to do is store the user data in a session and then store the session name in a cookie. Usually this is done automatically in php when you use the function session_start().
If you are using Codeigniter, the php session functions are wrapped in a CI session library that is auto loaded on each page load. So instead of storing data in $_COOKIE you will want to get/set your data via the userdata method in the session library:
//in your controller
//save session data
$userdata = array(
"isLoggedIn"=>true,
"username"=>$_POST['username']
);
$this->session->set_userdata($userdata);
//get session data later
$isLoggedIn = $this->session->userdata("isLoggedIn");
if(!$isLoggedIn){
//if the user is not logged in, destroy the session and send to the login screen
$this->session->sess_destroy();
redirect("/");
}
Note that the code above is not tested and is only supposed to give you an idea on where to go. If the session methods aren't working for you, you may need to load the library in manually:
//in the __construct method of your controller:
$this->load->library("session");
You can find more information here:
http://ellislab.com/codeigniter/user-guide/libraries/sessions.html
and here:
http://www.php.net/manual/en/book.session.php
Thanks for you answers guys.
This is what I figured, later. I am not sure what was causing this but the sessions were not getting invalidated after trying everything. I moved the sessions on codeigniter to the database. Then the logouts started working correctly, where after logout if the 'stolen'/'saved' cookie was put in the browser again it would Not log the user back in.
So, thats what solved it.