Please tell me how apache server store each logged user's session details.
I have never heard of Apache storing any session details.
Apache is HTTP demon and HTTP is stateless protocol, with no session support.
You're probably talking of some language emulates stateful connection, using cookie or query string to pass a session identifier.
Basically in PHP Sessions, the server will use eithers cookies or URL rewriting.
If cookies are enabled, it will store
the sessionID in a cookie.
If cookies are disabled, it will pass
the sessionID using a parameters
(GET) by appending forms with a
hidden elements and links with the
ID.
PHP stores session data as text files on disk. The browser is then assigned a cookie which identifies which session that belongs to that browser.
Related
I am having a web application which sets session cookie PHPSESSID with flag HttpOnly, path and secure. Secure is set only when https url is accessed.
If cookie is set by http request , same is getting shared for https and vice versa. How to maintain two different sessions one for http and other for https in same browser with same cookie name PHPSESSID.
There is no way to set 2 cookies with the same name for a Host. Cookies are associated with a host or domain, and the protocol is not taken into consideration.
If you truly want to have separate session storage you would need to manually set at least one of the sessions to have a different name via session_name.
As for the HttpOnly flag, that is a semaphore for the browser, and has no active serverside behavior associated with it. In other words, the flag may or may not be honored by the server.
A much more meaningful setting in this area is session.cookie_secure, where the server won't send a cookie over http at all, however, that should not be interpreted to mean it won't read a cookie. If a cookie gets set in the browser, and the browser makes a subsequent request to that host or domain (if using a domain cookie) then the browser is gong to include the cookie data in the request.
I have a LAMP server. I have started playing around with php cookies and sessions inside my scripts. Is there any way to check what or how many and what type of session I have active? I am able to check if cookies are being deleted from client side but sessions are server side with only a token in the client side.
Is there a command of some sort that would allow me to view active sessions (amount, time, session info) connected to my server?
Thanks.
By default PHP stores session on disk. Go do your sessions directory and check the active sessions there.
The file name of the session directory is the session token and the data stored in the file is the session data.
i would like to know that when a session starts on server in PHP what actually happens SEQUENTIALLY on server and client side?
like when a page with some session values is accessed, will create a file on server first or it creates a cookie on client computer? and what if cookie is disabled on client machine?
Please let me know if someone has any comments on this.
Thanks!!
Session can't be disabled on client machine unlike cookies.
Manual on Session, Cookies and Session vs Cookies.
I am doing authentication for a web service in php. When a user authenticates a session is generated. Eventually this session expires and the user needs to authenticate again. The authentication information is sent in the http headers.
But it seems that sometimes the variable $_SERVER (or apache_request_headers()) return some headers that are not being sent by the client in the current request (they were sent in previous requests). For instance sometimes I get the variable $_SERVER['HTTP_RESPONSE'] filled with information from previous requests.
Is it normal for $_SERVER or apache_request_headers() to 'persist' across requests?
It depends on whether or not you're using a browser to access the script.
Your 'persistent' headers are probably due to browser caching, but even then I'm not entirely sure what is happening. I've tried running a few tests using Fiddler, but couldn't replicate the problem.
Maybe try clearing your cache, as different headers might have been stored from previous versions of the script.
But, I would definitely avoid sending authentication params in the headers. Unless you're using HTTPS, they're liable to be sniffed and stolen. Why are you using headers?
$_SERVER contains information about the server, it doesn't necessarily contain any request/response information, it's persistent across the server life-time (eg, the SERVER_NAME will persist, but has nothing to do with the REQUEST/RESPONSE)
apache_request_headers() contains an array of headers which were sent, those may or may not include any cookie and session information - they are dependent on the client which you're using to access the server.
the only thing which persists across requests, it $_SESSION, because everytime you're accessing the $_SESSION superglobal, it fetches the session information which was saved on the file system (basic PHP implementation), some frameworks persist the session in the database (such as Yii).
I'm assuming you want to create a request header based authentication, so what you need to actually do, is parse the request_headers, match those against a legal user credentials, and simply open_session(); and put a value in the session which will mark the user as authenticated, any subsequent check, will be made against the $_SESSION superglobal, or against some other-implementation of sessions.
If I'm using PHP to perform a cURL POST to a remote server running code containing session_start(), is it possible to access session variables set on the local machine on the remote?
Unless you've got PHP trans_sid option turned on (BAD idea), POST has nothing to do with session values. That's mediated through a standard cookie.
Cookies are bound by same-domain security settings - they CAN be shared between hosts in the same domain (e.g. foo.example.com and bar.example.com), but an Amazon cookie cannot be shared with Yahoo.
No they do not. Even sending a session cookie, which you can do with cURL POST, will reference a session which exists only on the requesting server.
No.
The session variables are server-specific. They only cross to another server if the session ID were to be set correctly, and if they were using a shared session data-store, such as memcached.