I am confused regarding Session in PHP. My question is when a user closes directly red cross button without logging out whether the session is destroyed or not. If he again opens that page whether he would be asked to login or he would be directed inside the application?
I have googled around, some are saying it will be directed to login and same are saying it will be directed inside the application.
The default session cookie is set to expire when the browser window is closed. The corresponding session on the server will still exist for a while until it is garbage collected. If the user could resurrect/keep the cookie, he could continue to use the session. But again, the browser will discard the cookie when it's closed. You can modify the session cookie settings with an explicit expiration time, which means it will persist until then, giving your user a permanently logged-in status.
Here are all the session and session-cookie related settings you can tweak with ini_set: http://php.net/manual/en/session.configuration.php
PHP sessions should automatically expire when the browser window closes providing you do not modify the Session Cookies expiration time.
moreover whatever scene you described can be done by Cookie
if you set cookie (persistent) for a limited time period then it will not ask for the login untill that and save your login credentials.
redirecting on the last page can be done by your logic not by browser.
check that session.cookie_lifetime in php.ini if it is 0 means whenever we close the browser. it will destroy the session
more info
Related
I have a little confusion about PHP session and session cookies.
Let me ask my question by giving an example of www.example.com.
When I login to www.example.com, it starts a session. So I'm logged in as a user on this website.
Now when I clear cookies in my browser, it deletes all the browser cookie.
My question is - Is the session at www.example.com destroyed when I clear the browser cookies even when I haven't clicked on logout button to destroy the session ?
So that explains what I want to ask.
Does clearing browser cookies automatically destroys PHP session even when you haven't done anything on a website that will call the function to destroy the session ??
Why PHP session destroys when clear browser's cookie
After clearing cookies PHP does not destroy session, it just cannot receive session id anymore (which is stored in cookies), so link between session data and current user connection is lost. PHP destroys session later, depending on its' config.
Does clearing browser cookies automatically destroys PHP session even
when you haven't done anything on a website that will call the
function to destroy the session ??
No, it does not. PHP has limits on session lifetime (see php.ini, session.gc_maxlifetime and session.cookie_lifetime), which basically define session lifetime. In addition to official manual, there's also a good explanation of how these settings influence session lifetime.
If you watch carefully, like through web inspector on Chrome/Firefox etc, then you can see that the PHPSESSIONID is set as a cookie. So if you delete all cookies then I imagine you delete this cookie as well and therefore the session doesn't know what ID to use.
It's Mechanisim of Session. You can read more here.
About Session (ussually Server Session). The Server saves all the Session user data on Server and retrives data by Session ID from client (by Cookies).
First time, Client sends a request to Server. The server has not found any Session ID from this request and responses a normal webpage and includes SET-COOKIE: SessionID=xyz
From now, every request from client will include Session ID = xyz (by Cookies).
If you clear Cookies, certainly the Session ID is gone.
I can't seem to find a definitive answer on the internet, so I'm asking here.
When one uses session_start(); in a .php script and saves some values, when does the session end? So when would those values not be accessible again?
I've found that refreshing the page or stopping the session code-wise would stop it, and a possible time-out would stop the session as well. But what about navigating away from the site and returning a minute later? And closing the browser?
As for the last one, on mobile, what does 'closing the browser' mean? Closing the tab or even minimalising the site?
If your session values are not linked to any cookie, the session will end when the windows browser will be closed.
If your session variable comes from a cookie, the session will end after time specified in the cookie file.
In PHP, sessions work with a cookie of type session. Server-side, the session information is constantly deleted.
To set the lifetime of a cookie in php, you can use the function session_set_cookie_params, before the session_start:
session_set_cookie_params(3600,"/");
session_start();
For ex, 3600 seconds is a one hour, for 2 hours 3600*2 = 7200.
But it's a session cookie, the browser can make it expire by himself, if you want to save longer sessions (like remember login), you need save the data in the server and a standard cookie on the client side.
Navigating away from a site when using cookies will not break the session.
There are two things that can effectively end a session:
The cookie linking it to the browser gets destroyed. PHP typically uses session cookies. These are deleted when the browser is closed. The browser, not the tab. They can also be deleted manually.
When the server hasn't received a request from the browser with the session cookie for the session for a certain amount of time (defined in session.gc_maxlifetime) and it cleans up the session data.
I have stored the user id when the user login , however, i found it sometime will lost , what is the common reason of session lost?
I have used the timeout plugin (idle for sometime will warning and help you logout)
and there are some javascript to transfer between pages
You have edited the list. <a href='view.php' onClick='window.location.reload()'>Back</a></div>
<input type="button" value="Back" onclick="location.href='add.php'" class="btn" style="width:100px"/>
and unset the session, but it should not be the reason?
$(function(){
$("#closeTab").click(function() {
$.post("clear.php",function(data){
window.parent.$('#tt').tabs('close','Create List');
location.reload();
});
});
});
clear.php
if (isset($_SESSION['lname']))
unset($_SESSION['lname']);
if (isset($_SESSION['creminder']))
unset($_SESSION['creminder']);
if (isset($_SESSION['subscribe']))
unset($_SESSION['subscribe']);
if (isset($_SESSION['unsubscribe']))
unset($_SESSION['unsubscribe']);
This is used for store session
$user=$_SESSION['username'];
Thank you
PHP manages sessions this way:
When session_start() a file on the webserver is created. The file is a text file called for example session1234. On the user browser a cookie is set the cookie contains the value "session1234". Every time the user calls a page on the same domain the browser silently sends that cookie.
So the user is recognized and user's session data are taken out from the session file on the server.
Reason a session expire:
Usually when logout from webapplication we use session_destroy() which destroys the file on the server session1234. So if user calls again the site with cookie content session1234: no file session1234 exists on the server (has been removed with logout) the user is not authenticated
Timeout occurs: file session1234 is removed from server default 20 min (configurable in php.ini). If user calls again the site, same as before. Every time the user take an action (call the server) the server updates the time to live of the session file
Users clear browser cookie (can happen if someone want to clear the history of the browser): cookie is lost, the browser doesn't send the cookie the server doesn't receive it and cannot authenticated the user
Hope it helps
There's also a foible with the way PHP handles non-zero expiries on sessions; basically if you set the session cookie to expire in 15 minutes, it will expire 15 minutes from the start of the session... it won't refresh that expiry time.
To run a session that refreshes whenever the user "does something" you need to store an expiry date as a session variable and, when booting up the session, check that variable and if necessary respawn the session.
I've tried to update the expiry date in the session cookie previously, when the session is started... it led to some interesting problems.
It's highly unlikely, but it is possible, the session garbage collection lifetime is also below the lifetime of the cookie expiry. There are a load of ini variables that can deal with some of these common session problems and you can override most of them by setting them at runtime:
ini_set('session.gc_maxlifetime' 900);
ini_set('session.cookie_lifetime' 0); //ALWAYS set this to 0 - so the cookie will only expire when the browser is closed
ini_set('session.cookie_domain', '.domain.ext'); //always start with a "." if you want to cover multiple sub-domains
ini_set('session.cookie_path', '/'); //always use "/" unless you want to limit the cookie to a specific path "/admin" for instance
Personally, I'd put all the session handling stuff into a (Singleton pattern) class and deal with validation and expiry in the constructor.
I have a PHP app which requires log in, offers a log out option and force logs off users who have been inactive for X minutes.
But, if I log in, close my browser and re-open it, the $_SESSION variables still exists.
What's the general practise here? Should I want to prevent this and, if so, how?
Something in me just wants to treat closing the browser as logout ... on the one hand, it's a secure app (since it requires login) but a non-tech user might reasonably expect that if they close the whole browser then no one can see their private data. Otoh, if the browser crashes and the user restarts it, he might hope to pick up where he left off ...
What do others do?
PHP sessions work by saving a cookie to the user's browser containing the ID of the session on the server. Therefore PHP sessions work exactly like ordinary cookies do.
If you close your browser, cookies are persistent. The server doesn't know what instance of the browser the user is using, whether the browser has restarted, or even if the computer has restarted.
Providing a log-out button is the most usual practice here, but if for some reason you require the user to be logged out when the browser closes, you will have to implement something client-side, as the browser doesn't send any signal to the server when it closes.
If you are concerned about security - i.e. you are programming a highly secure application such as a payment gateway - you can follow the practice of bank websites or other payment gateways;
When the user returns to the site, they are still logged on, but when they try to perform any action that will affect the logged-in user, re-authenticate with another password screen, or ask for some memorable information.
This is a classic behavior, you can observe it on many sites, including Stack Overflow :)
Your session variable is bound to a cookie in the browser. If you want the user to really be logged off when the browser closes, sets the time of the session cookie to zero.
When you explicitly set a cookie, you can choose its expire time. When you're using session_start() to generate a session cookie, its expiration time is determined by the session.cookie_lifetime value in php.ini. If you set this to 0, session cookies will expire when the browser window is closed.
Let's suppose I have a sign-in form. When I sign in successfully I am redirected to the logged in home page. Currently, when I close this page without signing out, and re-open Firefox, this logged in home page is started again.
I want it so that when the user closes their browser the session is the session is expired and when they next open Firefox the logged-in home page isn't displayed.
I think session will be used for this, but I don't know how I can set a time or even make it so that when Firefox closes the closes session get destroyed.
You want the session cookie to have an expire time of 0 - see:
http://php.net/manual/en/function.setcookie.php
http://docs.php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime
Set your session timeout to 15 minutes, this should do the job. You cannot catch the "close browser" or "close tab" event for sure (no javascript enabled, browser just crashes, etc), so you shouldn't go for that.
Check Felix' post for additional information where to set the session timeout exactly.
Pardon me if I am stepping on toes as non-server HTML programmer, but could you check to see if the browser already has a cookie from a previous session? Even if the answer is yes, if it is a new session, force an authentication?
Just a thought.