This may seem trivial.
What will happen to a session that was never destroyed/unset/write_close-d?
Lets just say I have set the session to never time out. What will happen to the session if person finds himself at the login page and logs in using different credentials. Also just for the testing purpose, the login page doesn't have redirect if session is set.
Will it overwritten and destroyed or never destroyed?
If your login sets all of the session variables, the session will be effectively destroyed by the new values.
If there is a variable that's in the session that isn't overwritten by the login, then it will persist. The session is overwritten rather than destroyed and set again.
if he logs in using different credentials with an already started session, the session will be simply overriden...
in the case, that the user deletes his cookies etc., a new session will be generated and the old one MAYBE will retain as session-file or in DB...
(depends on the php-settings)
Sessions will be destroyed implicitly after timeout. The number of seconds for timeout can be specified in php.ini . Default is 1440 seconds or 24 minutes.
You have to set some arbitrarily large value for session.gc-maxlifetime to seemingly never time out.
If you let someone else to go through the login process, it must overwrite the existing session. But all this ultimately depends on your code.
Related
I have a social website. People use login with username and password. I am creating a session when they log in but some time later session time ends and they have to log back in again. I used the code below to make this time longer but still sometime later session time runs out. I checked SESSID with cromes cookie viewer and saw session still has time but in the browser it does not see that time. I hope i explained my problem well. Here is the code to create the session on login:
$lifetime=3600*24*7;
session_start();
setcookie(session_name(),session_id(),time()+$lifetime);
You need to take a look at: session.gc_maxlifetime in your configuration. This needs to have a high enough value, to keep the session alive. Also if you are using Memcache or some other caching for your sessions, the TTL there needs to be set, too.
I've seen various questions like mine, though none provide the correct answer.
I've a PHP script:
session_start();
setcookie(session_name('DSWLogin'),session_id(),time()+2*7*24*60*60, '/');
//This will only be set once (when the user logs in)
$_SESSION['test'] = 'Yup, I am working';
if (isset($_SESSION['test'])){
echo 'Session is set and ready!';
} else {
echo 'No session was set...';
}
and that all works fine except after a browser restart, my PHP script ignores the session.
When my browser hasn't restarted yet, it'll echo 'Session is set and ready!'; just fine.
And when I look into my cookie tab, it indeed says a cookie, named DSWLogin has been set with a certain value.
When I restart my browser, my cookie tab still says that a cookie, named DSWLogin has been set with the same value it had before the restart, so it is still there!
But my PHP script apparently ignores is, and outputs 'No session was set...'...
Thanks in advance,
Isaiah v. Hunen
What you are trying to do is not really the correct way to achieve this. Sessions have two parts, a cookie with a session id set by default to expire at the end of the session (usually browser close) and a server side storage mechanism that is cleaned up automatically after a certain period of time after the last request was received.
What you are trying to do is extend the session to two weeks. While you could change the cookie settings and increase the timeout to session garbage collection doing this is not very reliable.
Instead you want to look at using a one time key stored in a cookie which acts as an alternate login path. This cookie can recreate the session just like a normal login would. There are some details that need to be considered for this to remain secure, but it will do what you are attempting to achieve.
Just because you are setting your session_id in some cookie doesn't mean it is THE session cookie. Most browsers will purge session cookies on browser close. This is what you are seeing. Look at the cookies in your browser that are set when your session is valid and compare this to the cookies that are still remaining after browser restart. You will notice your true session cookie has gone missing.
Quoting the manual:
The session name is reset to the default value stored in session.name
at request startup time. Thus, you need to call session_name() for
every request (and before session_start() or session_register() are
called).
Also if you want to change lifetime of session cookie, use session_set_cookie_params instead of forcing your own cookie.
Also read about session garbage collection and configuration, changing cookie lifetime might not be enough.
...or do you only need to start a new session?
I've been given the task of fixing a bug that causes sessions to expire even though the session.gc_maxlifetime is set to 8 hours (It does get set, i've checked).
After going through the code, i noticed that session_start() is called on every load, as predicted, but the login-data sessions are only set when the user logs in.
Do i need to set the user data sessions on every page load for the session-lifetime to reset?
I need the session to be alive for 8 hours, even if the page doesn't reload.
You need to set the session variable again.
One method, use $_SESSION['last_click_time'] = time(); and compare it. If it's outdated, refresh the session variable, log the user back in, etc etc.
You are probably using the default location for session files and it's a temporary directory shared by all web sites on the server. In that case, the site with shortest session.gc_maxlifetime will probably remove session data from all sites. The reason is that there's no way to determine what site owns what session file.
You'll need to create a custom directory for sessions and specify it with session.save_path
I have stored the user id when the user login , however, i found it sometime will lost , what is the common reason of session lost?
I have used the timeout plugin (idle for sometime will warning and help you logout)
and there are some javascript to transfer between pages
You have edited the list. <a href='view.php' onClick='window.location.reload()'>Back</a></div>
<input type="button" value="Back" onclick="location.href='add.php'" class="btn" style="width:100px"/>
and unset the session, but it should not be the reason?
$(function(){
$("#closeTab").click(function() {
$.post("clear.php",function(data){
window.parent.$('#tt').tabs('close','Create List');
location.reload();
});
});
});
clear.php
if (isset($_SESSION['lname']))
unset($_SESSION['lname']);
if (isset($_SESSION['creminder']))
unset($_SESSION['creminder']);
if (isset($_SESSION['subscribe']))
unset($_SESSION['subscribe']);
if (isset($_SESSION['unsubscribe']))
unset($_SESSION['unsubscribe']);
This is used for store session
$user=$_SESSION['username'];
Thank you
PHP manages sessions this way:
When session_start() a file on the webserver is created. The file is a text file called for example session1234. On the user browser a cookie is set the cookie contains the value "session1234". Every time the user calls a page on the same domain the browser silently sends that cookie.
So the user is recognized and user's session data are taken out from the session file on the server.
Reason a session expire:
Usually when logout from webapplication we use session_destroy() which destroys the file on the server session1234. So if user calls again the site with cookie content session1234: no file session1234 exists on the server (has been removed with logout) the user is not authenticated
Timeout occurs: file session1234 is removed from server default 20 min (configurable in php.ini). If user calls again the site, same as before. Every time the user take an action (call the server) the server updates the time to live of the session file
Users clear browser cookie (can happen if someone want to clear the history of the browser): cookie is lost, the browser doesn't send the cookie the server doesn't receive it and cannot authenticated the user
Hope it helps
There's also a foible with the way PHP handles non-zero expiries on sessions; basically if you set the session cookie to expire in 15 minutes, it will expire 15 minutes from the start of the session... it won't refresh that expiry time.
To run a session that refreshes whenever the user "does something" you need to store an expiry date as a session variable and, when booting up the session, check that variable and if necessary respawn the session.
I've tried to update the expiry date in the session cookie previously, when the session is started... it led to some interesting problems.
It's highly unlikely, but it is possible, the session garbage collection lifetime is also below the lifetime of the cookie expiry. There are a load of ini variables that can deal with some of these common session problems and you can override most of them by setting them at runtime:
ini_set('session.gc_maxlifetime' 900);
ini_set('session.cookie_lifetime' 0); //ALWAYS set this to 0 - so the cookie will only expire when the browser is closed
ini_set('session.cookie_domain', '.domain.ext'); //always start with a "." if you want to cover multiple sub-domains
ini_set('session.cookie_path', '/'); //always use "/" unless you want to limit the cookie to a specific path "/admin" for instance
Personally, I'd put all the session handling stuff into a (Singleton pattern) class and deal with validation and expiry in the constructor.
I have built a session library, and I am having a very random bug (I don't really know how to unit test this, so I just filled everything with log messages and waited till it happened again) that translates into a user being logged out, due to a session ID mismatch.
The flow of the application goes like this:
A request with a valid session ID is made
Session data is found for that session ID in the DB
The 'last activity' happens to be old, so it is regenerated and updated in the DB
The new session ID is sent in the response (as a cookie)
This works fine almost always, but sometimes the next request fails to match the session ID, because (this is my guess) it was sent after we updated the database (in the previous request, which was still running), but before the response with the new cookie came in.
Did I misunderstand the concept of regenerating a session ID? I'm regenerating session ID's only for security reasons, so someone that chose to be logged in for a year, still has his session ID changed from time to time.
One option would be to keep multiple session ids per user, but put expiry times on them - when it's time to regenerate a session id, add the new one, and put an expiry time on the old one equal to some reasonable period of time (a minute, perhaps). Keep accepting the old one in addition to the new one until the old one expires.
I assume you're using session_set_save_handler(), right..? If so, try doing the following:
session_regenerate_id($delete_old_session = true);
session_write_close();
Or even:
session_regenerate_id($delete_old_session = false);
session_write_close();
Calling session_write_close() should effectively save the new session data. You only have to pay attention when you call this (usually before privilege changes > redirects), since it ends the session.
End the current session and store
session data.
Session data is usually stored after
your script terminated without the
need to call session_write_close(),
but as session data is locked to
prevent concurrent writes only one
script may operate on a session at any
time.