I'm using Zend with a session expiration set to 1,800 seconds. I was wondering if this session expiration time refreshes back to 1,800 seconds every time I make a request from the browser to the server on behalf of the user and also when the user loads a new page, or does it just refresh when the user loads a new page?
When a user loads a new page, that is the browser making a request to the server on behalf of the user. So the two scenarios you painted above are the same thing.
When a session is started, the session ID is sent to the browser which usually stores it in a cookie. The browser then uses the cookie to pass the session ID to the server with each request to identify the user. The server keeps track of when the session expires and this area can get a little tricky (read How do I expire a PHP session after 30 minutes?)
But as long as you are using the same browser to make the requests, then the session expiration will refresh in the two scenarios you've given.
The cookie that holds the session id (and all other cookies originating from the target server) travels alongside every request you make to the server, be it a page refresh or an ajax call.
So yes, the session refreshes upon any interaction with the server.
Basically it depends upon many things. Largely upon the browser and the version of the browser. You can read this post : How do I expire a PHP session after 30 minutes?
When you do session_start() if it is is the first call, the server saves session information in a file in /tmp folder, and send to your browser a cookie with this file identifier, else the server get cookie identifier and loads the file information. The duration of this cookie by default in php configuration is 30 minutes.
You can increase the time of this cookie in php.ini or manually setting directive with ini_set function or in .htacces file. You only setting the directive session.cookie_lifetime. The values are number of seconds or if set to the cookie are valid until you are close the browser
Another posible solution is make a token system for users, for example you manually sends a cookie to the browser that expires after 2 months width a token (large randomly key, saved in a database table with a user id field). When the session isn't available you check if the cookie exists and you can recreate session login finding a user manually with the cookie token.
Related
I'm using Zend with a session expiration set to 1,800 seconds. I was wondering if this session expiration time refreshes back to 1,800 seconds every time I make a request from the browser to the server on behalf of the user and also when the user loads a new page, or does it just refresh when the user loads a new page?
When a user loads a new page, that is the browser making a request to the server on behalf of the user. So the two scenarios you painted above are the same thing.
When a session is started, the session ID is sent to the browser which usually stores it in a cookie. The browser then uses the cookie to pass the session ID to the server with each request to identify the user. The server keeps track of when the session expires and this area can get a little tricky (read How do I expire a PHP session after 30 minutes?)
But as long as you are using the same browser to make the requests, then the session expiration will refresh in the two scenarios you've given.
The cookie that holds the session id (and all other cookies originating from the target server) travels alongside every request you make to the server, be it a page refresh or an ajax call.
So yes, the session refreshes upon any interaction with the server.
Basically it depends upon many things. Largely upon the browser and the version of the browser. You can read this post : How do I expire a PHP session after 30 minutes?
When you do session_start() if it is is the first call, the server saves session information in a file in /tmp folder, and send to your browser a cookie with this file identifier, else the server get cookie identifier and loads the file information. The duration of this cookie by default in php configuration is 30 minutes.
You can increase the time of this cookie in php.ini or manually setting directive with ini_set function or in .htacces file. You only setting the directive session.cookie_lifetime. The values are number of seconds or if set to the cookie are valid until you are close the browser
Another posible solution is make a token system for users, for example you manually sends a cookie to the browser that expires after 2 months width a token (large randomly key, saved in a database table with a user id field). When the session isn't available you check if the cookie exists and you can recreate session login finding a user manually with the cookie token.
I have an existing webapp in php and js and I am trying to add authentication to it. I have figured out the part on how to create a login page and authenticate against my organisation's LDAP server where multiple users have their accounts created.
My question is about the $_SESSION variable being same for all users who visit.
If a user visits the page and I set
$_SESSION["username"]="xyz";
$_SESSION["logged_in"]=true;
and then if another user logs in, will the $_SESSION variable be totally new for him or will the keys like "username" and "logged_in" be set with the previous user's data?
If not, then how does PHP or the httpd webserver know whether the tab is closed or a new request has come in?
If I open multiple tabs in the browser (or multiple browser windows) will it all have the same $_SESSION variable in the backend?
Basically I have questions about the lifecycle of the $_SESSION variable.
When the server receives a HTTP request, a Session ID is generated by the server and is sent back to the browser. The browser stores the Session ID in a cookie so it can re-use it. The ID forms the link between the browser and server, so that the server can identify subsequent requests as coming from the same browser.
The browser then sends that Session ID to the server (in a HTTP header) in every request the browser makes to the same server. PHP uses that ID to find the right session data for that ID in its storage. The actual session data is private and never leaves the server. Only the ID goes to the browser.
All of this means it's impossible for two users to share the same session data, because each session ID is unique. (It would technically be possible to steal another user's session ID if they were using an insecure HTTP-only connection to the server and you were able to monitor their network traffic, or even with HTTPS using a man-in-the-middle attack, but that's a whole other topic.)
If you close the browser, the session cookie is destroyed, by default. Therefore when you re-open the browser and go back to the same website, it will send a request without a session ID and will be given a new session ID by the server.
The other thing that would cause a new session to occur is if the session times out on the server. The server will have a session timeout value. It records what time a session was started and when the last request was made using that session ID. If no requests occur using a given session ID for timeout minutes after the last one, then the session ID will be destroyed and the browser will be given a new session ID next time a request occurs, regardless of whether it sent the previous one or not. This is usually why you find you're logged out of a website if you don't use it for a few minutes.
Are sessions only kept alive each time you access a page with session_start(); or do other pages keep it alive too?
Example (with 30 minute timeout):
1
user accesses page with session_start();
25 mins later they access another session_start();
page session stays alive
2
user accesses page with session_start();
25 mins later they access a non-session_start(); page
session stays alive
Is 2 also true ?
There is always a session cookie set in your browser whenever you access a page which has session_start(). The cookie name will PHPSESSID if the website is using PHP(although the name can be changed). This session cookie contains a session id which helps the browser to maintain that session with the server.
You can check manually by browsing any website which has your session and then delete your browser cookies, your session will be lost.
In your case both 1 & 2 are correct.
2 is correct because the user already has accessed a page which has session_start() and your session id will be set for the next 30 mins and it will be present even if you accesse a page which does not have a session.
NOTE: But the page which you will be visiting if contains session_destroy(), your session will be destroyed.
Calling session_start() merely gives your code access to the session.
What keeps the session alive is your browser sending the session id (stored in a cookie) to the server, whether you use it or not.
Answer: They are both true.
Here's the relevant part from the documentation
When a visitor accesses your site, PHP will check automatically (if session.auto_start is set to 1) or on your request (explicitly through session_start()) whether a specific session id has been sent with the request. If this is the case, the prior saved environment is recreated.
http://www.php.net/manual/en/intro.session.php
session_start() creates a session or resumes the current one based on a session identifier passed via a GET or POST request, or passed via a cookie.
http://www.php.net/manual/en/function.session-start.php
This means if you don't call session_start, the session will not be resumed and the expiration is not extended.
The session_start() is internal mechanism for php to access session and also to send session cookie to client browser.
Case 1 is true: because user accessed a page with session_start() and then another similar page.
Case 2 is only true if the session timeout is greater than 25 minutes between two visits.
In Case 2, the server will not send any session cookie, its a browser that includes cookie in the request header.
In the instant case the PHP session life of 30 minutes is kind of a "trick question" factor. The default and almost universal session life is 1440 seconds, or 24 minutes. So for most folks, the session data could have disappeared before the 25 minute mark.
This article tells some of the detail behind how PHP sessions work.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_11909-PHP-Sessions-Simpler-Than-You-May-Think.html
It doesnt have to do anything with the web pages, session interact with your browser by session id.
The session IDs generated by PHP are unique, random, and almost impossible to guess, making it very
hard for an attacker to access or change the session data. Furthermore, because the session data is stored
on the server, it doesn ’ t have to be sent with each browser request.
To start a PHP session in your script, you simply call the session_
start() function. If this is a new session, this function generates a unique SID for the session and sends it to the browser as a cookie called PHPSESSID (by default).
However, if the browser has sent a PHPSESSID
cookie to the server because a session already exists, session_start() uses this existing session:
session_start();
If you want sessions' on all of your pages, session_start() should be called on all of your pages.
Hence, 1 is CORRECT and 2 is CORRECT
I can't seem to find a definitive answer on the internet, so I'm asking here.
When one uses session_start(); in a .php script and saves some values, when does the session end? So when would those values not be accessible again?
I've found that refreshing the page or stopping the session code-wise would stop it, and a possible time-out would stop the session as well. But what about navigating away from the site and returning a minute later? And closing the browser?
As for the last one, on mobile, what does 'closing the browser' mean? Closing the tab or even minimalising the site?
If your session values are not linked to any cookie, the session will end when the windows browser will be closed.
If your session variable comes from a cookie, the session will end after time specified in the cookie file.
In PHP, sessions work with a cookie of type session. Server-side, the session information is constantly deleted.
To set the lifetime of a cookie in php, you can use the function session_set_cookie_params, before the session_start:
session_set_cookie_params(3600,"/");
session_start();
For ex, 3600 seconds is a one hour, for 2 hours 3600*2 = 7200.
But it's a session cookie, the browser can make it expire by himself, if you want to save longer sessions (like remember login), you need save the data in the server and a standard cookie on the client side.
Navigating away from a site when using cookies will not break the session.
There are two things that can effectively end a session:
The cookie linking it to the browser gets destroyed. PHP typically uses session cookies. These are deleted when the browser is closed. The browser, not the tab. They can also be deleted manually.
When the server hasn't received a request from the browser with the session cookie for the session for a certain amount of time (defined in session.gc_maxlifetime) and it cleans up the session data.
I have stored the user id when the user login , however, i found it sometime will lost , what is the common reason of session lost?
I have used the timeout plugin (idle for sometime will warning and help you logout)
and there are some javascript to transfer between pages
You have edited the list. <a href='view.php' onClick='window.location.reload()'>Back</a></div>
<input type="button" value="Back" onclick="location.href='add.php'" class="btn" style="width:100px"/>
and unset the session, but it should not be the reason?
$(function(){
$("#closeTab").click(function() {
$.post("clear.php",function(data){
window.parent.$('#tt').tabs('close','Create List');
location.reload();
});
});
});
clear.php
if (isset($_SESSION['lname']))
unset($_SESSION['lname']);
if (isset($_SESSION['creminder']))
unset($_SESSION['creminder']);
if (isset($_SESSION['subscribe']))
unset($_SESSION['subscribe']);
if (isset($_SESSION['unsubscribe']))
unset($_SESSION['unsubscribe']);
This is used for store session
$user=$_SESSION['username'];
Thank you
PHP manages sessions this way:
When session_start() a file on the webserver is created. The file is a text file called for example session1234. On the user browser a cookie is set the cookie contains the value "session1234". Every time the user calls a page on the same domain the browser silently sends that cookie.
So the user is recognized and user's session data are taken out from the session file on the server.
Reason a session expire:
Usually when logout from webapplication we use session_destroy() which destroys the file on the server session1234. So if user calls again the site with cookie content session1234: no file session1234 exists on the server (has been removed with logout) the user is not authenticated
Timeout occurs: file session1234 is removed from server default 20 min (configurable in php.ini). If user calls again the site, same as before. Every time the user take an action (call the server) the server updates the time to live of the session file
Users clear browser cookie (can happen if someone want to clear the history of the browser): cookie is lost, the browser doesn't send the cookie the server doesn't receive it and cannot authenticated the user
Hope it helps
There's also a foible with the way PHP handles non-zero expiries on sessions; basically if you set the session cookie to expire in 15 minutes, it will expire 15 minutes from the start of the session... it won't refresh that expiry time.
To run a session that refreshes whenever the user "does something" you need to store an expiry date as a session variable and, when booting up the session, check that variable and if necessary respawn the session.
I've tried to update the expiry date in the session cookie previously, when the session is started... it led to some interesting problems.
It's highly unlikely, but it is possible, the session garbage collection lifetime is also below the lifetime of the cookie expiry. There are a load of ini variables that can deal with some of these common session problems and you can override most of them by setting them at runtime:
ini_set('session.gc_maxlifetime' 900);
ini_set('session.cookie_lifetime' 0); //ALWAYS set this to 0 - so the cookie will only expire when the browser is closed
ini_set('session.cookie_domain', '.domain.ext'); //always start with a "." if you want to cover multiple sub-domains
ini_set('session.cookie_path', '/'); //always use "/" unless you want to limit the cookie to a specific path "/admin" for instance
Personally, I'd put all the session handling stuff into a (Singleton pattern) class and deal with validation and expiry in the constructor.