I made a fiddle with my code and I am using sessions to memorize the URL and local storage to store the values I am putting in. The problem here is that after 2 days of not touching the file I found the session values were "emptied" so I am guessing destroyed. I am not sure if the same happened to the localstorage. I know sessions are cookies not made to last long so I will need to figure out cookies and use those any ideas on that would help. Anyone know if localstorage has a time limit as well?
http://jsfiddle.net/y8Uju/16/
Your session wasn't "emptied". It most likely expired, as per the session.gc_maxlifetime, and cleaned up by the session garbage collector.
If you want to use long-duration persistent sessions, you'll have to disable the session cleanup functionality, or set a longer expiry time.
Related
I'm trying to implement a system to keep an user logged in for a while. I can do that by using cookies and storing it into database and then identifying him.
But recently I heard a session can be alive even when user closes his browser and opens a new window. I mean can a session still be available after closing/opening the browser again (or even multiple time)?
How much time (maximum) can I use $_SESSION["LoginValidation"] in following script?
<?php
session_start();
$_SESSION["LoginValidation"] = ture;
Currently that session will be available until closing the browser.
In order to make the session persist after closing the browser you need to set an expiry time for the session cookie. A cookie without an expiry time is deleted when the browser is closed, and is normally referred to as a session cookie (which is not the same thing as a PHP session - just related).
(side note: if your browser is configured to "save open tabs" at exit, then the session cookies may be saved by the browser even though they should be deleted)
So you could just set session.cookie_lifetime to a large value. But that doesn't stop the session data stored on your server from being deleted - to keep the data for longer you need to up the value for session.gc_maxlifetime.
BUT THIS IS THE WRONG WAY TO FIX THE PROBLEM
There are security and capacity implications to implementing such persistent sessions - you should certainly NEVER implement this as default behaviour - only where the user has explicitly given their consent.
Using a "Remember me" cookie as a sort of lightweight session system is the best practice solution. Give it a random value (suggest you use a reasonably reliable source of random numbers, e.g. base64_encode(openssl_random_pseudo_bytes(64)) and a name which does not conflict with other cookies, and store it along with the data you really want to persist across the actual sessions (e.g. authenticaticated username).
Approach 1) session.cookie-lifetime : This is the lifetime of the cookie, which by default is 0, which means the cookie is destroyed when the browser is closed. You can set a longer lifetime by increasing this variable.
It is relative to the server time, so you need to account for differences in the time in your clients' machine and your server's.
There's also session.gc-maxlifetime, which is the time after which the session data is seen as garbage in the storage and is destroyed.
While you can set these settings both to relatively high values and have it working, I would recommend against doing so, as this will leave a lot of unnecessary session data hanging around in your session storage, due to the GC not collecting actual dead session
Or
another approach is for session to make alive even after closing of browser save session in db and get its id , and set that id in user cookie via
setcookie("name","value",time()+$int);
so you can fetch that value from $_COOKIE["name"]; use it to get session variables from data base
I have an app where I would like to enable users to choose to stay logged in for a fairly long period of time, say 3 days similar to google mail, facebook or linkedin. (It is meant to be accessed primarily by phone and data is far less sensitive than other stuff on phone.) Right now I am setting about four session variables on log in, such as id of user, name, etc. so to avoid a lot of recoding and lost functionality, I'd like all of these variables to remain accessible.
Is there a way to increase session length to 72 hours when setting the session variables?
Alternatively, if you need to set cookies, what is best practice to achieve long logged in time when there are a number of session variables set.
Thanks.
You can set session for various ways. One of the ways is to set it in php.ini
session.gc_maxlifetime = 360*72
with php you can do it with
ini_set(’session.gc_maxlifetime’, 360*72);
you can also use
session_set_cookie_params(360*72,"/");
http://pl1.php.net/session_set_cookie_params
it sets session cookie. You can also serialize $_SESSION and set it in cookie.
I guess it is possible only by writing session to database
you can set a long live cookie & check value of the same on user request after many days.
use cookie value as a key in table to validate user identity.
then reload session of that user from database.
Maybe you could use the session storage of local storage features of HTML 5 ?
I know it is not purely the same thing as cookies, but I just wanted to propose this. Maybe it could help :)
There might be a little version problem with older versions of browser on phones. You can check them with : http://caniuse.com/namevalue-storage
And there's another thing. You can use "Remember Me" cookies for long term storage of important informations. Extending the lifetime of cookie is, as far as I know, not a "good practice".
You can do this by sending a post every 5 minutes to a php function that stores the session id in a variable, then destroys the session, creates it again and gives the session id again:
<?php
function restart_session(){
$user_session = $_SESSION['id'];
session_destroy();
session_start();
$_SESSION['id'] = $user_session;
}
?>
I want to have sessions persist the browser closing
So I used
session_set_cookie_params(86400 * 60, '/', 'my.domain.com', true, true);
to send a persistent cookie to the client (also with the secure flag as this is a SSL site)
which is valid for 2 months.
However, I see that after x minutes of inactivity the session variables are cleared on the server.
How can I avoid that? Essentially, I want the session variables to be stored until the cookie
becomes invalid
Thanks
Set the session.gc_maxlifetime configuration property.
The documentation is rather sparse when it comes to acceptable values for it, but I wouldn't want to go as high as two months.
You'd usually be better off storing the important data in a database, and adding it to a session when one is created with a remember me cookie.
Leave sessions for actual sessions.
With sessions you are looking at two things. The time until garbage collection cleans up the session on the server, and the time until the cookie expires.
You only changed the cookie expiration, the session will still get cleaned up. However extending the session is not a great way to solve this. Your code could change and you may end up with users having a broken session. You may need to use some sort of shared session storage like memcached that will delete the storage after a certain max time anyway.
So the way to solve this is to generate a unique one time cookie that can be used as an alternative login key. This key will allow a user to login similar to a username/password. Once its used, a new one gets regenerated.
Session variables will persist as commented below, but unless you change their default behavior, they expire when the session ends (i.e. when the browser is closed).
For what you're trying to accomplish, you should store your values in $_COOKIE variables, not $_SESSION variables.
See this article: http://buildinternet.com/2010/07/when-to-use-_session-vs-_cookie/
I know that sessions are server side, so, it is possible to save a session even if the browser is closed?
For example save a session for one day.
Please do not suggest "cookies", in this case must be implemented sessions.
thanks
They are saved already (see your php.ini file for the session path)... In fact, the real issue lies in garbage collecting them.
If you want to store them longer, edit your php.ini file or, define a custom session handler:
http://www.php.net/manual/en/function.session-set-save-handler.php
session_set_cookie_params I think is what you are looking for. If you are storing the session in a cookie, this will allow you to set the lifetime of that cookie. So the user can come back anytime within that time frame and still have their original session.
Side Note
Give this a read for more about session lifetimes etc.
How do I expire a PHP session after 30 minutes?
php_value session.gc_maxlifetime 86400
You can set the above in .htaccess or modify session.gc_maxlifetime in php.ini
This defines how long PHP will have a session file for the user on the server before garbage collection (the example above will allow the server to maintain the sessions for 1 day), however sessions generally do rely on a session id cookie so if the browser is reset or clears the cookie the user won't re-attach to their web session (you are actually setting a session ID cookie to use sessions in most cases even if you don't realise it.)
You can create a database and store there the sessions and on client side just store $_SESSION['id'] wich is the id of the session in the database. But this will become a headache when you will have to store more and more variables in the session.
Like Gumbo said, pass it in the URL. But how I like to solve this is, instead of passing the SESSION_ID through the Url, just make it a hash, or encoded data.
Then whenever this user comes to your page. you can check in your headers if this hash/encoded-data is still in the valid time frame, and if this 'anonymous' user has permissions for thay zone.
THE DOWNSIDE: If this user passes around this link, anyone could access the data
THE UPSIDE: Extremely portable, and easy to implement
Store the SESSION_ID in a database bound to the users IP. whenever this user logs back in, start the session via setting the SESSION_ID with session_id
THE DOWNSIDE: A lot more work, and if the users ISP changes their generated IP regularly this won't work
THE UPSIDE: Even if he erases the SESSION_ID cookie you will be able to continue the session
there are many ways to do this but beign an artisan you could:
make an script that save each session for your users inside a file
OR
go to PHP.ini and change the session life time
OR
use the session_set_save_handler function more info here
I have been having this problem for some time now, I dont exactly know that if this is the issue but I am pretty confident that it is, I have my remember me session set too expire after 1 week, but when I go to my site after a few hours of inactivity my remember me session is gone, i check my servers tmp dir and the session flat file is gone, what i think is happening is some PHP session garbage collector runs every now and then, but i dont want it to delete these sessions that are suppoes to be stored for a week, how do a modify this behavior?
You're confusing two things.
A "remember me" mechanism doesn't rely on sessions. It relies on a cookie that stores credentials which are used to start a session. In this case, you have to setup the cookie so that is last for one week. See this answer.
If you just want to extend the lifetime of sessions, you have to both extend the lifetime of the session cookie to one week and delay garbage collection. This is done changing session.gc_maxlifetime.