I would like to know what the best way to save a shopping cart is. I'd like the shopping cart details (which are session variables) to persist even when the user closes his browser. I would consider saving the data in a table as soon as the window close event is fired but i'm not sure that jquery unLoad or beforeUnload events are what i need as they don't seem to work across different browers.
I'd appreciate any pointers to set me on the right path
It's not so much when a browser closes as keeping the session cookie in the browser. If I understand correctly, you're using sessions (i.e. the $_SESSION variable), so it should be relatively easy. PHP's function session_set_cookie_params would most likely be the way to go; there's also the option session.cookie_lifetime (found here) that explains the session's cookie lifetime a bit more, even if you can't set it yourself.
The session cookie's lifetime is in seconds; so if you set it to 60 seconds and visit the site, the session cookie will only last 60 seconds before discarding the cookie, effectively destroying the session. Set the lifetime to a high number in order to prevent this.
Since the session data is server-side, and all the browser has is a session ID, all you need to do is make the session ID last longer.
This is done by editing the php.ini settings, particularly those regarding the lifetime of the session cookie. If it's 0, then the cookie is cleared when the browser closes.
Try setting it to a high number. That will make the session persist.
Maybe save data when they are changing and not when the browser is closing. Saving could be in Database, Local Storage or Cookies.
Why not just keep your shopping cart data persisted anyway. If you want it when they're on the site and you still require it when they've left, just persist it. It's tricky to reliably pick up when a session is abandoned as they could close the machine down or kill the browser process. Every change to the cart should be saved until they explicitly kill their cart or the cookie associated with it.
You just save the data as soon as the data change is made. Why wait? As soon as someone adds an item to their cart, save it.
jQuery unLoad method works everywhere. I assume you want to store the cart in DB, when you talk about table(s). So you have to make synchronous ajax call to your server, so PHP could store it and probably return an identifier, which you should put into an cookie.
Problem is that this procedure can take relatively long time (1-2s). I'd just provide a Save button.
Related
Following the best practices for sessions I have extended SessionHandler and regenerate the session ID at random (1 in 10 chance). The sessions work fine and I've started to implement some AJAX calls. However there are some very random cases where the session will be invalidated and the user logged out, I do not know the best and safest solution to this.
Let me walk you through what happens:
Let's say the user "loads more data" and initiates an AJAX call.
Browser sends headers including COOKIE, session ID is: klqlk0rldcasbos2f4li1db
The session handler validates this, it's fine, but we've hit the 1 in 10 chance so we session_regenerate_id
Server sends back new session ID: sbos2f4li1dbklqlk0rldca
During the process of sending data back, the user clicks to another page while the AJAX is still running (small chance, but it can happen).
The new session ID doesn't seem to be stored successfully by the browser. Seemingly if the request is cancelled all data is discarded, including the new session ID. (Not a browser bug, right?).
So then since the user has gone to a new page the client is sending a session ID klqlk0rldcasbos2f4li1db NOT the new one sbos2f4li1dbklqlk0rldca. Thus invalid session = logout.
I can also reliably reproduce this simply bashing F5 on a page where it doesn't get time to be completely received.
Possible Solutions?
When we session_regenerate_id we store the old ID somewhere, add
some sort of checking.
We disable session_regenerate_id during any
AJAX calls. Slight reduction in security and not really a solution.
Any input would be greatly appreciated.
UPDATE
I had been using session_regenerate_id(true) and setting this back to false (default) solves the issue, but now I'm wondering how good this is at preventing session hijacking if the old session stays on the system? Defeats the point of generating a new ID.
I am trying to login an user for 2 weeks if user login with remember me check then i have set some variables in session and cookie set for 2 weeks. It is set correctly i have printed it and got the value session_cookie_lifetime = 1209600 and session_gc_maxlifetime = 1209600. I also print session and got correct value in $_SESSION.
After login in my site when i shut down my computer and reopen my site it seems that it is working (it is keeping me as login user). But when i shut down my computer and next day when i open my browser it is not working and it is showing that i am not login on my site. I have printed $_COOKIE and $_session . It shows that in cookie there is :
[PHPSESSID] => svikos35bgclmebk2cqraiddt2
But session is empty.
I got this form modx stuff:
MODx automatically starts and ends sessions with each request made to the site. You can simply save values into the $_SESSION array and they will be saved in between requests so you can use them on subsequent pages (so long as you have the same user session). Not really any magic to it other than don’t call the session functions yourself to start, end, or otherwise manipulate the session configuration—that can all be done via settings in MODx.
I am using modx revo. It is a bit descriptive question. let me know you need something else.
Anything that may help me (blog link,any settings, any suggestion ) will be highly appreciated.
Thanks in advance
This only happens after a day?
Could tmpwatch be deleting session files from the server?
session_cookie_lifetime and session_gc_maxlifetime doesn't garantee you, that session will be saved for a week. GC kill unused sessions. Check PHP documentation about this parameters and you see, that you can't be sure, that your session will be on the server and you don't be sure, that your sesssion will be destroed after this time. GC is async.
You need to recreate $_SESSION after login (and autologin) if it doesn't exists.
Check this article (in russian, try google translate:
PHP GC: unexpected behavior
The basic idea behind SESSION is that, When you create or call session_start() method your server generate a session id and store it on server memory. Also the server create a cookie on your client machine that cookie contains an id that is related to your server side session id. When you call session_destroy() method server delete that id on server side but the client side cookie doesn't. That is why your session id still shown. You can also check by cache and cookie clearing. When you clear cookie your session will destroyed.
I can't seem to find a definitive answer on the internet, so I'm asking here.
When one uses session_start(); in a .php script and saves some values, when does the session end? So when would those values not be accessible again?
I've found that refreshing the page or stopping the session code-wise would stop it, and a possible time-out would stop the session as well. But what about navigating away from the site and returning a minute later? And closing the browser?
As for the last one, on mobile, what does 'closing the browser' mean? Closing the tab or even minimalising the site?
If your session values are not linked to any cookie, the session will end when the windows browser will be closed.
If your session variable comes from a cookie, the session will end after time specified in the cookie file.
In PHP, sessions work with a cookie of type session. Server-side, the session information is constantly deleted.
To set the lifetime of a cookie in php, you can use the function session_set_cookie_params, before the session_start:
session_set_cookie_params(3600,"/");
session_start();
For ex, 3600 seconds is a one hour, for 2 hours 3600*2 = 7200.
But it's a session cookie, the browser can make it expire by himself, if you want to save longer sessions (like remember login), you need save the data in the server and a standard cookie on the client side.
Navigating away from a site when using cookies will not break the session.
There are two things that can effectively end a session:
The cookie linking it to the browser gets destroyed. PHP typically uses session cookies. These are deleted when the browser is closed. The browser, not the tab. They can also be deleted manually.
When the server hasn't received a request from the browser with the session cookie for the session for a certain amount of time (defined in session.gc_maxlifetime) and it cleans up the session data.
I am planning to create a online examination sytem in PHP. What steps could I take to restore old session, if user has accidentally closed the window?
Suppose he has already answered 49 questions out of 50 and suddenly there is power cut off (and there is no UPS) or he accidentally closes the window (even by mistake, if he clicks yes on javascript's prompt on window.unload event) and then reopens the browser, everything is lost. What could I possibly do to prevent this?
Thanks in advance :)
You would need to do one of two things:
Persist the current state on the user machine - this would have to be done via a cookie.
Persist the current state on the server.
The second option is probably more reliable, it does require that you are in constant contact with the server. It would also allow the session to resume on another machine.
The first option would probably be easier to implement.
Offer a login system where you store the progress tied to the user login, or simply use cookies that do not expire upon closing the browser (i.e. set an expiry date far in the future).
You can store the session parameters in cookie which expires after 30 day e.g.
You could save their state every time they go to the next question - if it's saved in a session, you could serialize the session and save it in the DB, related to their account.
If they open up the browser again, you can then load up the saved session, unserialize it, and continue off where they left it.
Storing the session id as a cookie with a long expire time will solve the problem but will introduce a new issue: on public or shared machines, users will have to explicitly log out (i.e. destroy the session) otherwise everyone that access the site after they quit will continue their session.
Another solution is to bind 'exam sessions' to the user, persist them on the database and continue the session if an user with a pending exam logs in. Obviously this require a bit of coding :-)
continuously save the page state into a cookie (e.g. on every form change - thus you have the state of the current page);
on submit, save the state into session (or even into database of unfinished forms) and clear it from cookie (thus you have the overall state of the exam stored server-side, so you can clear it from the cookie).
When finished, clear both cookie and session.
Of course, if there's a power outage, the cookie may not have been flushed to disk yet, but otherwise (especially if you have multiple questions on one page), the user will lose less state than if you only saved on submit.
I have a session that works perfectly expect for one, if I close the browser the session gets destroyed however if I close the current tab and then go back to the site, the session still exists, how can I make sure that the session is destroyed both on a tab close and a window close?
The problem here is browser behaviour. Cookies aren't usually destroyed until the browser is closed, and PHP sessions are maintained via a session ID cookie.
Your best bet may be to set the session timeout to something shorter than the default (15 or 30 minutes I believe)
You could try and do something with onunload as Anonymous suggests, but the onunload event is not guaranteed to fire so you won't be certain that the session has been destroyed.
Is there a particular reason you need the session to be destroyed straight away? If we know your exact problem we may be able to suggest a workaround
You can't check tab closing with php, you should do it with a combination of the javascript onunload event and ajax call to request the destroy method for the server side session.