Does the $_SESSION expire at any time point? Obviously you can call session_destroy() or close the browser. I just had a application fail because it was relying on the session and the browser had been open for 2 days. I guess the session must have expired.
Yes it can be configured in the php.ini. See here http://www.php.net/manual/en/function.session-cache-expire.php
I think one way is to set http://www.php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime , but then you rely on the browser to really delete the session cookie when it expires. So it would be best to save the last-seen-time in the session and remove sessions when a maximum time is reached.
Related
My questions:
session.gc_maxlifetime in php.ini: Does the session.gc_maxlifetime start from the session_start() point or the latest request to the server? (Assuming I have a few requests without a session_start() being called.)
What is the best practice to use the $_SESSION object so as to not waste precious RAM (automatically clear idle sessions in time)? Or is this something that happens automatically by the time mentioned in session.gc_maxlifetime?
How do I correctly check if a session has expired (as against a session which never got created)? Or are both the same? isset($_SESSION['any_variable']) === FALSE
Assuming I don't have control over php.ini, how do I increase session.gc_maxlifetime?
session_start(): If a session has "timed out", calling session_start will always start a session with the previous variables unavailable(a brand new session). Is that correct?
Good question! I would assume that the default filesystem session handler would go off last access but not all filesystems support an atime timestamp. I'll see what I can find out on that front.
Sessions are by default stored as files on disc. They only take memory when loaded. Unless you've built a custom session handler that stores sessions in a RAM disc or in a memcache server or similar, or unless you're storing a huge amount of state in the user's session I doubt memory use will be a major concern.
When session_start() is called the previous session data is loaded into PHP. If the session has expired then there will be no session data to load and a new empty session will be created. So yeah, if you check for the existence of a variable in $_SESSION that you're expecting to always be there then you can use that to determine if the user's session has expired (but only after session_start() was called).
Simply set gc_max_lifetime to how long you want sessions to last in seconds. 600 is 10 minutes, 86400 is one day, etc.
Yes (with some caveats, see below).
There are a few things you need to be aware of with sessions though. First is that there's two components to a session: A server side state record that holds all the data stored in the session, and a client side token that PHP uses to associate a particular user with a particular state record. Normally the client side token is a cookie. Cookies have their own expiration date, so it's possible that the session can expire before the session state is due to do so. In that case the user will stop sending the token and the session state is effectively lost. If you're adjusting how long a session lasts you need to set both the server side state expiration time and the client side cookie expiration time.
As for stale state, the session garbage collection system doesn't always run every time session_start() is called. If it was the overhead would be crippling to a big PHP site with a lot of sessions. There are configuration options that specify the probability that the GC will run on any given invocation of session_start (I believes it defaults to 1%). If it doesn't run then a stale session record may still be treated as valid and used to populate $_SESSION. It probably won't have a serious effect on your system but it's something you need to bear in mind.
I have heard many times that a session get destroy as our browser close.
Then how I keep logged in after closing and reopening my browser.
Please help
You keep login because your sessions are not destroyed even when the browser is closed. Sessions destroying on the closing of the browser is default behaviour but but this does not mean its the only behaviour. You can extend the expiry time of session.
This behaviour can be changed in the php.ini file by altering the line:
Keeping a session alive indefinitely
session.cookie_lifetime = 0
So just check when you have set the expiry time for the sessions. Although using cookies will be a good option
Note:- Remember to restart your web server after making this change.
You have to use Cookies.
You can use the setcookie() function and read the value with the $_COOKIE['cookiename'] variable.
Use cookies, with a predefined expire time, I like 1 year
You can use cookies. Cookies are data that is stored directly on the HDD so that even if the browser was closed, cookies still can be read if it haven't expired yet.
Here is an example of setting up a cookie.
Paste this code BEFORE the tag.
<?php setcookie("$name", "$value", $time); ?>
Where $name is the cookie name, $value is the cookie value and $time is the time when your cookie will be expired. For example $time = time()+86400; will set your cookie to expire after 1 day. The 86400 value is the number of seconds in a day, 60seconds times 60minutes times 24hours, so 60x60x24 = 86400.
Basically, a php session won't expire while a user is surfing on a website. But "while the user is surfing on the website" means that there are get and post requests. Nevertheless, i can't figure out if there has to be new requests, or if one active request is enough to maintain the session…
For instantce, i have a big file upload by post. It could then take hours. Will the session expire or not ?
The lifetime of a session depends on the ini setting session.gc-maxlifetime. Every access to the session (read and write) resets the timer. After the timeout, when the session garbage collector runs, the session values are destroyed.
The default value is 1440, which means 24 minutes. So if you have hits that access the session in any way at least every 24 minutes, the session values will stay.
If you need the session to stay alive longer than that, you can extend the timeout with ini_set (use before session_start()), for example:
ini_set('session.gc_maxlifetime', 24*60*60); // 24 hours
It shouldn't. Usually when I work with $_SESSION's, they last for a day or so. But it might on some servers. In that case you need to add cookies, too. With cookies you can exactly manipulate the time the person can be online for.
How to delete session cookie on browser close, or optionally detect and force "new" session for a returning user. I want to prevent storing session cookies by "session managers" like addons in firefox and such.
I guess you could use this :
session_set_cookie_params(0);
session_start();
Destroy PHP Session on closing
Session manager are designed to save session cookie : I don't think you can prevent their behavior.
However, you can set your php configuration to have a non-used session garbage collected really fast : Then the session, after a few amount of time (basically, 1 hour), will be invalidate. See the session.gc_maxlifetime parameter.
fortunately a website can't force anything to happen on the clients machine. if you don't want to rely on the browsers cookie-management and those addons, one way would be to not use cookies for sessions and use the good old session-id get parameter instread (or, alternatively, set the session-lifetime to something like 1 or 2 hours, but this isn't exactly what you wanted)
I don't think you'll be successful on this route.
If you need to log out the user so quickly, consider using a very short session lifetime (like, one minute) and keeping the session alive using a JavaScript setInterval or an iframe that refreshes itself every thirty seconds.
I am using a login system that sets the session variables / cookies below. Chrome, which awesomely lets you look at your cookies without too much trouble, apparently labels this as a PHPSESSID that expire "When I close my browser." Sure enough, when I log in, shut down the browser, and then open up a new browser session, I am no longer logged in.
How could I make it so the user stays logged in whether or not the browser is closed? I would like to make it so the user stays logged in (permanently, if possible) unless a deliberate logout is done.
$_SESSION['loginid'] = $row['loginid'];
$_SESSION['username'] = $u;
Take a look at session_set_cookie_params()...
The first parameter is $lifetime. Set that to a non-0 number, and that's how long they will stay logged in for in seconds. If it's 0, it'll be deleted once the browser closes. Note that you'll need to either store the session data yourself, or set ini_set("session.gc_maxlifetime", $Lifetime); as well (to prevent the server from deleting old sessions). But beware that this could eat up a LOT of disk space (And open Denial Of Service attacks where attackers eat up all your disk space by just spawning new sessions continuously)...
1 year ~= 3156000 (seconds)
I'd honestly suggest implementing a "remember me" function rather than trying to persist the session indefinitely... The remember me would use a cookie as well, but it wouldn't tie up server space for non-active users...
You just need to set an expiration date in the future on the session cookie.
You can use session_set_cookie_params to set the PHPSESSID cookie related settings.
//set cookie for 60 seconds:
session_set_cookie_params(60);
So you would just replace the value 60 with some arbitrarily high second value.