I am using a PHP / MySQL login system. With a new browser session, I tend to get logged out as I navigate the site.
Any tips on how I can go about fixing this?
Thanks in advance,
John W.
Sounds like the system is using sessions for persistent user logins which yes expire once the browser is closed. The solution is to use cookies for keeping track of users. You can extend the lifetime of a cookie for as long as you want and they are persistent through browser sessions.
Check expiration time on the cookies that PHP sends to browser.
Set expiration time to 0 so that they are this-session-only (until user closes browser)
Related
I have a PHP app which requires log in, offers a log out option and force logs off users who have been inactive for X minutes.
But, if I log in, close my browser and re-open it, the $_SESSION variables still exists.
What's the general practise here? Should I want to prevent this and, if so, how?
Something in me just wants to treat closing the browser as logout ... on the one hand, it's a secure app (since it requires login) but a non-tech user might reasonably expect that if they close the whole browser then no one can see their private data. Otoh, if the browser crashes and the user restarts it, he might hope to pick up where he left off ...
What do others do?
PHP sessions work by saving a cookie to the user's browser containing the ID of the session on the server. Therefore PHP sessions work exactly like ordinary cookies do.
If you close your browser, cookies are persistent. The server doesn't know what instance of the browser the user is using, whether the browser has restarted, or even if the computer has restarted.
Providing a log-out button is the most usual practice here, but if for some reason you require the user to be logged out when the browser closes, you will have to implement something client-side, as the browser doesn't send any signal to the server when it closes.
If you are concerned about security - i.e. you are programming a highly secure application such as a payment gateway - you can follow the practice of bank websites or other payment gateways;
When the user returns to the site, they are still logged on, but when they try to perform any action that will affect the logged-in user, re-authenticate with another password screen, or ask for some memorable information.
This is a classic behavior, you can observe it on many sites, including Stack Overflow :)
Your session variable is bound to a cookie in the browser. If you want the user to really be logged off when the browser closes, sets the time of the session cookie to zero.
When you explicitly set a cookie, you can choose its expire time. When you're using session_start() to generate a session cookie, its expiration time is determined by the session.cookie_lifetime value in php.ini. If you set this to 0, session cookies will expire when the browser window is closed.
I made a website with login features, but sometimes users are automatically logged out. I have other websites and have never experienced this issue before. My website is hosted. My session script is
if(#username and password is match#)
$_SESSION['front_end_user'] = $username;
The difference between this website and my other website is that in this website I use full jquery interaction. Could this effect the session? If not what is the problem?
I have checked all my pages and there are no session_destroy or unset statements.
The session usually expires after 24 minutes. By the way you can set this session timeout to last more, but I'd not suggest this. I'd use a cookie solution. (For this google "remember me tutorial" and you'll find out).
I think this is session time out. Your session is timing out after a certain amount of time and this is a normal behaviour of all applications.
PHP's default session time out value is 24 minutes. This mean that session will be timed out after the inactivity of 24 minutes.
Although you can increase session time out limit but note that should not be big amount.
I'm keeping track of the time that users are logged in. After they close the whole browser they are logged out; but when they only close the tab (there's only one tab), and navigate back to the website within a few minutes they are logged in again.
Someone told me that this behavior can be changed in the server configuration. Does anyone know how?
I'm using PHP 5.2 and Apache. Just a normal webserver. I'm also using the Kohana 3 PHP framework. For logging users in there's being a session set with a cookie, in the cookie there's a session id.
Thanks!
You cannot reliably find out when the user closes your page - unload-related events also trigger when navigating to another subpage on your side.
So the most common solution is to simply make a session time out after x minutes of inactivity.
Additionally, if you set your session (id) cookies without an expiry time ("session cookies") they will be deleted when the browser is closed.
By the way, a not really good "solution" for your request would be setting the session expiry time to a very very low value (30 seconds) maybe and "refresh" the session through an AJAX request in the background every ~15-20 seconds. However, if someone's connection is very slow the request might arrive too late and besides that, this solution would cause lots of unnecessary traffic.
I am in need of session variable must be exist even after browser closed or system shutdown.
But in my page it will not support session scope between browsers that is at first i signin with firefox while i login with chrome browser it comes to login page . Why these happen . Please any body help me to solve this problem.
Thanks and Regards,
Alagar Pandi.P
alagar.pandi#gmail.com
Session scope between browsers is not possible. Sessions are identified by a token, which must first be given to the user, and then passed back later by the browser in some form. Generally this is done with cookies, although it can also be done by appending the token to URLs as the visitor browses around the site.
Since web browsers are separate pieces of software with their own methods of handling cookies, you cannot share cookies between browsers, and therefore you cannot share cookie-based sessions. It is possible to copy-and-paste a URL from a web site that contains a session token into another browser and continue the session there, but most sites use cookies, so this is not often possible, and it certainly doesn't accomplish what you would like to do.
What you ask is generally considered impossible, but also usually not an issue. On the plus side, it is also a process generally understood by most users. Users do not expect to log in to a site with one browser, and then boot up another and still be logged in.
session expiry between browser and
after browser or system shutdown ?
Neither after browser close nor system shutdown
Session is expired when its get timeout on server side, and it depends on each web server settings, for example, after 20 mintues.
Cookies are the only way to track users. They can either be persistent or not. If a cookie is persistent it is stored in the user's computer as a file and has an expiration date but only the browser that created it will be able to access it again. There's no way to achieve cross-browser cookies.
Then you should use. Client side cookies rather than session variables.
Session exists only until the browser close or system shutdown.
If you still want to proceed with session variable, then store the session value in the DB and whenever the login page loads check the db if the user hasn't signed out manually, if yes then show him main page otherwise show hime the login page.
I'm using login function in my site with session.
This session of mine gets expired after a few minutes irrespective of whether the user has logged out or not.
Now what I want is that the session should only get expired when a user logs out. If a user doesn't log out his account and then comes back after 2-3 days, even then he should appear logged in.
I have found some examples where they have increased the time for a session to expire but I want that it should only expire on the log out event by the user irrespective of the time he took to log out.
How can I do that?
In particular, is this the right way to do so?
session_cache_expire(0);
session_start();
A solution that is often used, in this situation, is to:
have a not-too-long session duration: it will expire if the user is not active (that's just the way it works -- and that's better for your server if you have lots of users)
when user logs in, you set a cookie that contains what is needed for him to be recognized
if he comes back on the site (with the cookie, and without having an active session), you use the informations contained in that cookie to auto-log him in, re-creating the session at the same time.
This way:
you don't have thousands of sessions "active" with no good reason
you keep the standard way sessions work
And you have the advantage of "never being logged out", at least from the user's point of view.
Also note that with "normal" sessions, the cookie containing the session id will be deleted when the user closes his browser -- so, he will be disconnected, no matter how long the session's lifetime is.
With the solution I propose, you are the one who sets up how long the cookie should remain on the user's computer ;-)
It means, though, that when a user manually logs-out, you have to delete both his session and the cookie, of course -- so he's not immediatly re-auto-logged-in.
Of course, you have to be careful about what you set in the cookie: a cookie is not quite secure, so don't store a password in it, for instance ;-)
Actually, this way of doing things is how the "remember me" feature often works; except, here, your users will not have to check a checkbox to activate "remember me" ;-)
If you don't have the time to develop that kind of stuff, a pretty quick and dirty way is to use some Ajax request on all your pages, that will just "ping" a PHP page on the server -- this will keep the session active (but it's not quite a good way of doing things: you'll still have LOTS of sessions on the server, you'll have lots of useless requests... and it will only work as long as the user doesn't close his browser).
You can't do that with the PHP internal session handling alone. PHP will always send out the session id in a session-cookie which will expire when the user closes his browser. To achieve some sort of auto-login you'll need some accompanying code that sets a longer-lasting cookie on the user's browser and handles the recognition of these cookies and the mapping between the cookies value and the respective user account.
Please note that this greatly affects security issues so you'll have to take care of a lot of things. Please read the following on how a possible auto-login feature could be working:
Persistent Login Cookie Best Practice
Improved Persistent Login Cookie Best Practice
Do you remove your cookies while testing? Are cookies enabled? Do you destory the session somewhere in your code?
Also, see my answer to another post: Quick question about sessions in PHP which explains how to stay signed in. Just don't do a cronjob/sheduled task if you want the user to stay logged in forever.