I understand that PHP stores a user's session id in a cookie called "PHPSESSID" which is stored in the client's browser and is matched against the session on the server to be able to relate the 2. After closing the browser
the session info dissapears but the cookie on the client remains. Is it possible to use this cookie to restore the old session? Or does all the session data get deleted from the server the moment the client closes their browser?
I had this on my page first:
session_start();
$_SESSION['message'] = 'Hello';
echo $_SESSION['message']; // outputs hello
then I changed the page to:
$old_session = session_id();
session_id($old_session);
session_start();
echo $_SESSION['message'];
Then I closed the browser and reopened it to this page and got these errors:
Warning: session_start() [function.session-start]: The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in C:\xampp\htdocs\localhost\test.php on line 5
Notice: Undefined index: message in C:\xampp\htdocs\localhost\test.php on line 7
How exactly does one retrieve old session info after closing the browser, is it even possible?
The accepted answer here should not be accepted. You most certainly can recover a session so long as it has not been cleared yet. It really is this simple.
<?php
session_id($the_id_of_the_session_you_want_to_reopen);
session_start();
?>
I found the answer here.
A session does exactly what it says on the tin - exists for the duration of the client's session. A browsing session by definition (such as there is one) ends when you close the browser.
Cookie-based sessions work by setting a cookie that has a lifetime defined in PHP as 0 - this means that the browser should destroy the cookie when the browser is closed. Once the cookie has been destroyed, the session ID is not sent in any subsequent server requests, so the session data will not be available in your PHP script.
However, the session data is not destroyed at the server side at the moment the user closes the browser, as you suggested - this is impossible, because the client does not notify the server that it has been closed. Instead, the session data at the server side has a TTL (time-to-live) which has a default value of 15 minutes. After this has expired, the data may be deleted at any time by the session garbage collector. In theory this could be some considerable time, but in practice on a busy server the data will be deleted within a couple of minutes of the TTL expiring.
However, PHP cannot make the session data available unless it has the session ID, and it will not have the session ID if the cookie has been destroyed, which as I say, should happen when the user closes their browser.
So the short answer to the question How can I restore a PHP session? is: You can't
This may or may not be an answer you are looking for.
As far as I know, you can't "restore" a session based on the session cookie. What I do is store a cookie with the client's id, username, and password, salted and hashed. I also store another with their id. I check for both cookies when they visit the site, then validate them against each other, then log them in automatically. While this doesn't "restore" their session, it allows them to stay logged in on my site when if they closed the browser. This was how I figured to do it, and I figure if someone did hijack or view another user's cookies, it would be near impossible to decrypt with the salt I used. The only information they would gain is the user's id.
session_start set's a cookie.
the cookie has a param cookie-lifetime
by default the cookie lifetime is set to 0
0 means until browser closed
Related
I have many doubts on cookies and session
1) can anyone explain me work flow of cookies and session together(example if I visit any site and then login by my email and password then how cookies and session work together)
2) if cookies is set for 5 minutes and session is set for 10 minutes what will happen
3) how flow will work if cookies is disabled in my computer.
There are many questions which cover your doubts already, I'll link some below. I'll answer your specific questions first:
1) When you visit a website for the first time, actually when you do a session_start() on the PHP side, a new session ID is generated (a random string) and sent to the browser as cookie, usually with the name PHPSESSID, so next time you visit the site the same data is loaded back from the session file (which is stored somewhere on the server)
2) If cookie expires before the session the browser won't send the PHPSESSID value, thus a new session ID is generated. It is usually advisable to use an expire time for cookies way longer. When you expire a cookie, you rely on the client's browser to honor your disposition, but to be safe you must expire the session server side.
3) Sessions won't work, every time the client requests a page a new session cookie will be generated
Some more information:
cookies vs session
Cache VS Session VS cookies?
What is the difference between a Session and a Cookie?
I have a little confusion about PHP session and session cookies.
Let me ask my question by giving an example of www.example.com.
When I login to www.example.com, it starts a session. So I'm logged in as a user on this website.
Now when I clear cookies in my browser, it deletes all the browser cookie.
My question is - Is the session at www.example.com destroyed when I clear the browser cookies even when I haven't clicked on logout button to destroy the session ?
So that explains what I want to ask.
Does clearing browser cookies automatically destroys PHP session even when you haven't done anything on a website that will call the function to destroy the session ??
Why PHP session destroys when clear browser's cookie
After clearing cookies PHP does not destroy session, it just cannot receive session id anymore (which is stored in cookies), so link between session data and current user connection is lost. PHP destroys session later, depending on its' config.
Does clearing browser cookies automatically destroys PHP session even
when you haven't done anything on a website that will call the
function to destroy the session ??
No, it does not. PHP has limits on session lifetime (see php.ini, session.gc_maxlifetime and session.cookie_lifetime), which basically define session lifetime. In addition to official manual, there's also a good explanation of how these settings influence session lifetime.
If you watch carefully, like through web inspector on Chrome/Firefox etc, then you can see that the PHPSESSIONID is set as a cookie. So if you delete all cookies then I imagine you delete this cookie as well and therefore the session doesn't know what ID to use.
It's Mechanisim of Session. You can read more here.
About Session (ussually Server Session). The Server saves all the Session user data on Server and retrives data by Session ID from client (by Cookies).
First time, Client sends a request to Server. The server has not found any Session ID from this request and responses a normal webpage and includes SET-COOKIE: SessionID=xyz
From now, every request from client will include Session ID = xyz (by Cookies).
If you clear Cookies, certainly the Session ID is gone.
Are sessions only kept alive each time you access a page with session_start(); or do other pages keep it alive too?
Example (with 30 minute timeout):
1
user accesses page with session_start();
25 mins later they access another session_start();
page session stays alive
2
user accesses page with session_start();
25 mins later they access a non-session_start(); page
session stays alive
Is 2 also true ?
There is always a session cookie set in your browser whenever you access a page which has session_start(). The cookie name will PHPSESSID if the website is using PHP(although the name can be changed). This session cookie contains a session id which helps the browser to maintain that session with the server.
You can check manually by browsing any website which has your session and then delete your browser cookies, your session will be lost.
In your case both 1 & 2 are correct.
2 is correct because the user already has accessed a page which has session_start() and your session id will be set for the next 30 mins and it will be present even if you accesse a page which does not have a session.
NOTE: But the page which you will be visiting if contains session_destroy(), your session will be destroyed.
Calling session_start() merely gives your code access to the session.
What keeps the session alive is your browser sending the session id (stored in a cookie) to the server, whether you use it or not.
Answer: They are both true.
Here's the relevant part from the documentation
When a visitor accesses your site, PHP will check automatically (if session.auto_start is set to 1) or on your request (explicitly through session_start()) whether a specific session id has been sent with the request. If this is the case, the prior saved environment is recreated.
http://www.php.net/manual/en/intro.session.php
session_start() creates a session or resumes the current one based on a session identifier passed via a GET or POST request, or passed via a cookie.
http://www.php.net/manual/en/function.session-start.php
This means if you don't call session_start, the session will not be resumed and the expiration is not extended.
The session_start() is internal mechanism for php to access session and also to send session cookie to client browser.
Case 1 is true: because user accessed a page with session_start() and then another similar page.
Case 2 is only true if the session timeout is greater than 25 minutes between two visits.
In Case 2, the server will not send any session cookie, its a browser that includes cookie in the request header.
In the instant case the PHP session life of 30 minutes is kind of a "trick question" factor. The default and almost universal session life is 1440 seconds, or 24 minutes. So for most folks, the session data could have disappeared before the 25 minute mark.
This article tells some of the detail behind how PHP sessions work.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_11909-PHP-Sessions-Simpler-Than-You-May-Think.html
It doesnt have to do anything with the web pages, session interact with your browser by session id.
The session IDs generated by PHP are unique, random, and almost impossible to guess, making it very
hard for an attacker to access or change the session data. Furthermore, because the session data is stored
on the server, it doesn ’ t have to be sent with each browser request.
To start a PHP session in your script, you simply call the session_
start() function. If this is a new session, this function generates a unique SID for the session and sends it to the browser as a cookie called PHPSESSID (by default).
However, if the browser has sent a PHPSESSID
cookie to the server because a session already exists, session_start() uses this existing session:
session_start();
If you want sessions' on all of your pages, session_start() should be called on all of your pages.
Hence, 1 is CORRECT and 2 is CORRECT
I am trying to login an user for 2 weeks if user login with remember me check then i have set some variables in session and cookie set for 2 weeks. It is set correctly i have printed it and got the value session_cookie_lifetime = 1209600 and session_gc_maxlifetime = 1209600. I also print session and got correct value in $_SESSION.
After login in my site when i shut down my computer and reopen my site it seems that it is working (it is keeping me as login user). But when i shut down my computer and next day when i open my browser it is not working and it is showing that i am not login on my site. I have printed $_COOKIE and $_session . It shows that in cookie there is :
[PHPSESSID] => svikos35bgclmebk2cqraiddt2
But session is empty.
I got this form modx stuff:
MODx automatically starts and ends sessions with each request made to the site. You can simply save values into the $_SESSION array and they will be saved in between requests so you can use them on subsequent pages (so long as you have the same user session). Not really any magic to it other than don’t call the session functions yourself to start, end, or otherwise manipulate the session configuration—that can all be done via settings in MODx.
I am using modx revo. It is a bit descriptive question. let me know you need something else.
Anything that may help me (blog link,any settings, any suggestion ) will be highly appreciated.
Thanks in advance
This only happens after a day?
Could tmpwatch be deleting session files from the server?
session_cookie_lifetime and session_gc_maxlifetime doesn't garantee you, that session will be saved for a week. GC kill unused sessions. Check PHP documentation about this parameters and you see, that you can't be sure, that your session will be on the server and you don't be sure, that your sesssion will be destroed after this time. GC is async.
You need to recreate $_SESSION after login (and autologin) if it doesn't exists.
Check this article (in russian, try google translate:
PHP GC: unexpected behavior
The basic idea behind SESSION is that, When you create or call session_start() method your server generate a session id and store it on server memory. Also the server create a cookie on your client machine that cookie contains an id that is related to your server side session id. When you call session_destroy() method server delete that id on server side but the client side cookie doesn't. That is why your session id still shown. You can also check by cache and cookie clearing. When you clear cookie your session will destroyed.
I can't seem to find a definitive answer on the internet, so I'm asking here.
When one uses session_start(); in a .php script and saves some values, when does the session end? So when would those values not be accessible again?
I've found that refreshing the page or stopping the session code-wise would stop it, and a possible time-out would stop the session as well. But what about navigating away from the site and returning a minute later? And closing the browser?
As for the last one, on mobile, what does 'closing the browser' mean? Closing the tab or even minimalising the site?
If your session values are not linked to any cookie, the session will end when the windows browser will be closed.
If your session variable comes from a cookie, the session will end after time specified in the cookie file.
In PHP, sessions work with a cookie of type session. Server-side, the session information is constantly deleted.
To set the lifetime of a cookie in php, you can use the function session_set_cookie_params, before the session_start:
session_set_cookie_params(3600,"/");
session_start();
For ex, 3600 seconds is a one hour, for 2 hours 3600*2 = 7200.
But it's a session cookie, the browser can make it expire by himself, if you want to save longer sessions (like remember login), you need save the data in the server and a standard cookie on the client side.
Navigating away from a site when using cookies will not break the session.
There are two things that can effectively end a session:
The cookie linking it to the browser gets destroyed. PHP typically uses session cookies. These are deleted when the browser is closed. The browser, not the tab. They can also be deleted manually.
When the server hasn't received a request from the browser with the session cookie for the session for a certain amount of time (defined in session.gc_maxlifetime) and it cleans up the session data.