how we can destroy the session when we click in the close button in my browser..
You can't destroy the session directly. The session garbage collection doesn't work like that. However if your session is using cookies you could set the cookie lifetime to 0 which translates to "destroy cookie when the browser closes". You can do this with
session_set_cookie_params(0)
The session is still there, but the client can no longer access it effectively destroying the session.
On a side note this will only work if all instances of the browser close.
You can't in any meaningfull reliable way, that is why we invented session.gc_maxlifetime & garbage collecting.
unset($_SESSION)
- destroys all session variables.
If they have javascript enabled, you can watch for the onUnload event and make an ajax call to a php file that unsets the session variable.
Typically the browser will delete session cookies on exit, and there is no need to do it on the server side.
Related
I have a little confusion about PHP session and session cookies.
Let me ask my question by giving an example of www.example.com.
When I login to www.example.com, it starts a session. So I'm logged in as a user on this website.
Now when I clear cookies in my browser, it deletes all the browser cookie.
My question is - Is the session at www.example.com destroyed when I clear the browser cookies even when I haven't clicked on logout button to destroy the session ?
So that explains what I want to ask.
Does clearing browser cookies automatically destroys PHP session even when you haven't done anything on a website that will call the function to destroy the session ??
Why PHP session destroys when clear browser's cookie
After clearing cookies PHP does not destroy session, it just cannot receive session id anymore (which is stored in cookies), so link between session data and current user connection is lost. PHP destroys session later, depending on its' config.
Does clearing browser cookies automatically destroys PHP session even
when you haven't done anything on a website that will call the
function to destroy the session ??
No, it does not. PHP has limits on session lifetime (see php.ini, session.gc_maxlifetime and session.cookie_lifetime), which basically define session lifetime. In addition to official manual, there's also a good explanation of how these settings influence session lifetime.
If you watch carefully, like through web inspector on Chrome/Firefox etc, then you can see that the PHPSESSIONID is set as a cookie. So if you delete all cookies then I imagine you delete this cookie as well and therefore the session doesn't know what ID to use.
It's Mechanisim of Session. You can read more here.
About Session (ussually Server Session). The Server saves all the Session user data on Server and retrives data by Session ID from client (by Cookies).
First time, Client sends a request to Server. The server has not found any Session ID from this request and responses a normal webpage and includes SET-COOKIE: SessionID=xyz
From now, every request from client will include Session ID = xyz (by Cookies).
If you clear Cookies, certainly the Session ID is gone.
This is more of a conceptual question. But I was wondering when a web session starts and ends when using PHP. I'm pretty sure the session starts when the user first requests any page that has the session_start() function. But does the session end when the user navigates to another page in the same tab? Is the same session preserved across multiple tabs and windows of the same browser? To preserve a session after the browser closes, do you have to use cookies?
Sessions start with the first session_start()
Sessions end after session.gc_maxlifetime and/or session.cookie_lifetime and/or some more things to do with PHP's session garbage collector.
Cookies are required to use sessions since PHP sets a cookie containing the user's SESSID, and the browser automatically sends it back with each request.
You can delete this cookie, which revokes your access to the session, but your session data still technically exists until the timeouts expire and the garbage collector runs.
Reference
According to my knowledge, session is stored at server and cookie is stored at client. But as soon as cookie is disabled, the session stops working. What is the reason behind this? Is it possible to make session work when cookie is disabled?
Few references I got:
http://php.net/manual/en/session.configuration.php
Well, because when cookie is disabled, the server has no idea which sessions a client belongs to (no information of the session is passed to the server). If you want to make session work when cookie is disabled, you may have to pass a PHPSESSID in your urls, something that looks like this:
http://example.com/myurl.php?PHPSESSID=[a long string]
PHPSESSID can be generated by using session_id() function.
That's because the cookie is used to identify which session on the server is associated with the current client.
I have a session that works perfectly expect for one, if I close the browser the session gets destroyed however if I close the current tab and then go back to the site, the session still exists, how can I make sure that the session is destroyed both on a tab close and a window close?
The problem here is browser behaviour. Cookies aren't usually destroyed until the browser is closed, and PHP sessions are maintained via a session ID cookie.
Your best bet may be to set the session timeout to something shorter than the default (15 or 30 minutes I believe)
You could try and do something with onunload as Anonymous suggests, but the onunload event is not guaranteed to fire so you won't be certain that the session has been destroyed.
Is there a particular reason you need the session to be destroyed straight away? If we know your exact problem we may be able to suggest a workaround
You can't check tab closing with php, you should do it with a combination of the javascript onunload event and ajax call to request the destroy method for the server side session.
It's possible I'm not properly deleting PHP sessions when the user signs out. I've noticed that if I sign out and sign back in without closing the browser, the session ID doesn't change but if I sign out, close the browser window, open a new one and sign in, the session ID will be different. Do I need to be doing something different or is this normal behavior? I've been using the same process for three years but something happened recently that made me think that maybe I need to do something different.
Here's what I basically do when someone clicks Sign Out.
<?php
session_start();
if( isSet($_SESSION['FacID']) )
$facID = $_SESSION['FacID']; //Want to re-instate this after we destroy the session.
unset($_SESSION);
session_destroy();
if( isSet($_SESSION['FacID']) )
$_SESSION['FacID'] = $facID;
?>
If you feel the need to force a new id
http://pl.php.net/manual/en/function.session-regenerate-id.php
And to your question, from the manual:
session_destroy() destroys all of the
data associated with the current
session. It does not unset any of the
global variables associated with the
session, or unset the session cookie.
To use the session variables again,
session_start() has to be called.
In order to kill the session
altogether, like to log the user out,
the session id must also be unset. If
a cookie is used to propagate the
session id (default behavior), then
the session cookie must be deleted.
setcookie() may be used for that.
Your session is getting destroyed.
PHP will only generate a session id if the browser isn't specifying one. As long as the session has been destoryed, there is no problems with this.
What's with the massive save-and-destroy? Just session_start and set your variables. No need to destroy, then reset them!
Your "problem" with the browser is that when you close your browser window, your browser is deleting the cookie which PHP sends it so it knows the session ID. This is a browser option and cannot be changed on the server side (unless you exploit). It can be circumvented using some methods, but that's probably not your best option.