I am getting a session timeout all the time.
When ever a user is idle for some time, he has to re-login. I want him to login again only if he closes his browser. I have not used anything to destroy or unset the session, I only do that in the logout page.
I have set my PHP INI file to set all the session variables. You can browse the Session Variable here at the link.
http://www.providentfeed.com/phpinfo.php
you can write the following code in your php file.
// Session timeout value in seconds. Let's say we increase it to 24 hours
ini_set('session.gc_maxlifetime', 24*60*60);
That's standard behavior. If you want the user to be logged in indefinitely, you'll need to create a cookie and check for its presence in the login page. And simply log the user in if the cookie exists.
Related
Are sessions only kept alive each time you access a page with session_start(); or do other pages keep it alive too?
Example (with 30 minute timeout):
1
user accesses page with session_start();
25 mins later they access another session_start();
page session stays alive
2
user accesses page with session_start();
25 mins later they access a non-session_start(); page
session stays alive
Is 2 also true ?
There is always a session cookie set in your browser whenever you access a page which has session_start(). The cookie name will PHPSESSID if the website is using PHP(although the name can be changed). This session cookie contains a session id which helps the browser to maintain that session with the server.
You can check manually by browsing any website which has your session and then delete your browser cookies, your session will be lost.
In your case both 1 & 2 are correct.
2 is correct because the user already has accessed a page which has session_start() and your session id will be set for the next 30 mins and it will be present even if you accesse a page which does not have a session.
NOTE: But the page which you will be visiting if contains session_destroy(), your session will be destroyed.
Calling session_start() merely gives your code access to the session.
What keeps the session alive is your browser sending the session id (stored in a cookie) to the server, whether you use it or not.
Answer: They are both true.
Here's the relevant part from the documentation
When a visitor accesses your site, PHP will check automatically (if session.auto_start is set to 1) or on your request (explicitly through session_start()) whether a specific session id has been sent with the request. If this is the case, the prior saved environment is recreated.
http://www.php.net/manual/en/intro.session.php
session_start() creates a session or resumes the current one based on a session identifier passed via a GET or POST request, or passed via a cookie.
http://www.php.net/manual/en/function.session-start.php
This means if you don't call session_start, the session will not be resumed and the expiration is not extended.
The session_start() is internal mechanism for php to access session and also to send session cookie to client browser.
Case 1 is true: because user accessed a page with session_start() and then another similar page.
Case 2 is only true if the session timeout is greater than 25 minutes between two visits.
In Case 2, the server will not send any session cookie, its a browser that includes cookie in the request header.
In the instant case the PHP session life of 30 minutes is kind of a "trick question" factor. The default and almost universal session life is 1440 seconds, or 24 minutes. So for most folks, the session data could have disappeared before the 25 minute mark.
This article tells some of the detail behind how PHP sessions work.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_11909-PHP-Sessions-Simpler-Than-You-May-Think.html
It doesnt have to do anything with the web pages, session interact with your browser by session id.
The session IDs generated by PHP are unique, random, and almost impossible to guess, making it very
hard for an attacker to access or change the session data. Furthermore, because the session data is stored
on the server, it doesn ’ t have to be sent with each browser request.
To start a PHP session in your script, you simply call the session_
start() function. If this is a new session, this function generates a unique SID for the session and sends it to the browser as a cookie called PHPSESSID (by default).
However, if the browser has sent a PHPSESSID
cookie to the server because a session already exists, session_start() uses this existing session:
session_start();
If you want sessions' on all of your pages, session_start() should be called on all of your pages.
Hence, 1 is CORRECT and 2 is CORRECT
This may seem trivial.
What will happen to a session that was never destroyed/unset/write_close-d?
Lets just say I have set the session to never time out. What will happen to the session if person finds himself at the login page and logs in using different credentials. Also just for the testing purpose, the login page doesn't have redirect if session is set.
Will it overwritten and destroyed or never destroyed?
If your login sets all of the session variables, the session will be effectively destroyed by the new values.
If there is a variable that's in the session that isn't overwritten by the login, then it will persist. The session is overwritten rather than destroyed and set again.
if he logs in using different credentials with an already started session, the session will be simply overriden...
in the case, that the user deletes his cookies etc., a new session will be generated and the old one MAYBE will retain as session-file or in DB...
(depends on the php-settings)
Sessions will be destroyed implicitly after timeout. The number of seconds for timeout can be specified in php.ini . Default is 1440 seconds or 24 minutes.
You have to set some arbitrarily large value for session.gc-maxlifetime to seemingly never time out.
If you let someone else to go through the login process, it must overwrite the existing session. But all this ultimately depends on your code.
I am confused regarding Session in PHP. My question is when a user closes directly red cross button without logging out whether the session is destroyed or not. If he again opens that page whether he would be asked to login or he would be directed inside the application?
I have googled around, some are saying it will be directed to login and same are saying it will be directed inside the application.
The default session cookie is set to expire when the browser window is closed. The corresponding session on the server will still exist for a while until it is garbage collected. If the user could resurrect/keep the cookie, he could continue to use the session. But again, the browser will discard the cookie when it's closed. You can modify the session cookie settings with an explicit expiration time, which means it will persist until then, giving your user a permanently logged-in status.
Here are all the session and session-cookie related settings you can tweak with ini_set: http://php.net/manual/en/session.configuration.php
PHP sessions should automatically expire when the browser window closes providing you do not modify the Session Cookies expiration time.
moreover whatever scene you described can be done by Cookie
if you set cookie (persistent) for a limited time period then it will not ask for the login untill that and save your login credentials.
redirecting on the last page can be done by your logic not by browser.
check that session.cookie_lifetime in php.ini if it is 0 means whenever we close the browser. it will destroy the session
more info
I have stored the user id when the user login , however, i found it sometime will lost , what is the common reason of session lost?
I have used the timeout plugin (idle for sometime will warning and help you logout)
and there are some javascript to transfer between pages
You have edited the list. <a href='view.php' onClick='window.location.reload()'>Back</a></div>
<input type="button" value="Back" onclick="location.href='add.php'" class="btn" style="width:100px"/>
and unset the session, but it should not be the reason?
$(function(){
$("#closeTab").click(function() {
$.post("clear.php",function(data){
window.parent.$('#tt').tabs('close','Create List');
location.reload();
});
});
});
clear.php
if (isset($_SESSION['lname']))
unset($_SESSION['lname']);
if (isset($_SESSION['creminder']))
unset($_SESSION['creminder']);
if (isset($_SESSION['subscribe']))
unset($_SESSION['subscribe']);
if (isset($_SESSION['unsubscribe']))
unset($_SESSION['unsubscribe']);
This is used for store session
$user=$_SESSION['username'];
Thank you
PHP manages sessions this way:
When session_start() a file on the webserver is created. The file is a text file called for example session1234. On the user browser a cookie is set the cookie contains the value "session1234". Every time the user calls a page on the same domain the browser silently sends that cookie.
So the user is recognized and user's session data are taken out from the session file on the server.
Reason a session expire:
Usually when logout from webapplication we use session_destroy() which destroys the file on the server session1234. So if user calls again the site with cookie content session1234: no file session1234 exists on the server (has been removed with logout) the user is not authenticated
Timeout occurs: file session1234 is removed from server default 20 min (configurable in php.ini). If user calls again the site, same as before. Every time the user take an action (call the server) the server updates the time to live of the session file
Users clear browser cookie (can happen if someone want to clear the history of the browser): cookie is lost, the browser doesn't send the cookie the server doesn't receive it and cannot authenticated the user
Hope it helps
There's also a foible with the way PHP handles non-zero expiries on sessions; basically if you set the session cookie to expire in 15 minutes, it will expire 15 minutes from the start of the session... it won't refresh that expiry time.
To run a session that refreshes whenever the user "does something" you need to store an expiry date as a session variable and, when booting up the session, check that variable and if necessary respawn the session.
I've tried to update the expiry date in the session cookie previously, when the session is started... it led to some interesting problems.
It's highly unlikely, but it is possible, the session garbage collection lifetime is also below the lifetime of the cookie expiry. There are a load of ini variables that can deal with some of these common session problems and you can override most of them by setting them at runtime:
ini_set('session.gc_maxlifetime' 900);
ini_set('session.cookie_lifetime' 0); //ALWAYS set this to 0 - so the cookie will only expire when the browser is closed
ini_set('session.cookie_domain', '.domain.ext'); //always start with a "." if you want to cover multiple sub-domains
ini_set('session.cookie_path', '/'); //always use "/" unless you want to limit the cookie to a specific path "/admin" for instance
Personally, I'd put all the session handling stuff into a (Singleton pattern) class and deal with validation and expiry in the constructor.
In my login script I have put a checkbox that people can check if they want to be kept logged in. I have named the checkbox "stayin".
Now, the problem is, that when a user comes directly to the index of the login page a session is already set (and it expires when the "session ends" - or rather when the browser is shut down). So, let's say you've marked the "Keep me logged in" box, you browse the page, and then shut down the browser and went back -- you would not still be logged in because setting the session lifetime did not work, because the session always gets set without a specific lifetime by the index script. Since not everyone wants to be logged in all the time, I can't really set "session_set_cookie_parameters" to "never" expire before I make use of session_start() (which is why session_set_cookie_params is used in my script AFTER session_start() (I'm not sure this really works)).
So, for the index script, I simply use session_start(); and check if there's a value for "Username" and redirect the user past the login.
And for the action script:
<?php
session_start();
if(isset($_POST['stayin'])){ // In case they want to be kept logged in.
session_set_cookie_params(999999999,"/path");
}
?>
I use session_start() at the very top of every script.
Using PHP version 4.4.9.
AFAIK session_set_cookie_params() only modifies the session cookie length for the duration that the script is running (see http://www.php.net/manual/en/function.session-set-cookie-params.php). The only way to permanently change it is to modify the entry in the php.ini file, but this will change all sessions to have a long timeout which is not what you want either. Are using client-side cookies an option rather than using server-side sessions? If so you could set the lifespan of cookies individually with setcookie() based on whether the user has ticked the checkbox or not.
<?php
if(isset($_POST['stayin'])){ // In case they want to be kept logged in.
setcookie('logincookie', true, 999999999, '/path');
}
?>
You would probably want to use $_COOKIES rather than $_SESSION. Here's some reading for you:
http://www.tuxradar.com/practicalphp/10/1/0
Best way how to setup session cookie expiration time is:
$cookie = session_get_cookie_params();
session_set_cookie_params( 2851200, $cookie['path'], $cookie['domain'],
$cookie['secure']);