Questions about Sessions...

[doubledee]

Some questions about Sessions...

 

1.) Why is it that when I assign my file path to $_SESSION there seems to be no Cookie involved??

 

2.) Do I care that my Session is Cookie-less??

 

3.) How would I create a Cookie when creating a Session?

 

4.) How long does a Session last??

 

5.) Can a Session die prematurely??

 

Thanks,

 

 

 

Debbie

 

[phpSensei]

Well Cookies are stored in the clients machine, whereas Sessions are saved on the server. Sessions do however still use cookies to hold a unique ID of the session stored for each user. Sessions are mostly a combination of server side cookies and client side cookies. So the cookie is already automatically created for you. You can even turn of the SID being made through the cookies and have it pass through the HTTP URL (this method has some draw backs)

 

so actually you can set the Session's lifespan on the server itself just use configure the session.gc_maxlifetime in the init settings. By default I believe its 25 minutes before a session is destroyed by the server itself. A session should have its cookie assigned to it.

 

Also I dont know what you ment by the last question.

[doubledee]

Well Cookies are stored in the clients machine, whereas Sessions are saved on the server. Sessions do however still use cookies to hold a unique ID of the session stored for each user. Sessions are mostly a combination of server side cookies and client side cookies. So the cookie is already automatically created for you. You can even turn of the SID being made through the cookies and have it pass through the HTTP URL (this method has some draw backs)

 

so actually you can set the Session's lifespan on the server itself just use configure the session.gc_maxlifetime in the init settings. By default I believe its 25 minutes before a session is destroyed by the server itself. A session should have its cookie assigned to it.

 

Also I dont know what you ment by the last question.

 

I wasn't seeing a prompt from localhost to set a cookie.

 

Turns out I had an exception of "Allow" so even though I delete the Localhost cookie, Iw as never getting a new prompt to allow it so I din't know it was being set.

 

Related to the topic, should I ever Log-Out users?

 

Like after a Member adds a comment to my article, should I log them out?

 

Or should I log out people when they hit my Home Page?

 

Or after a certain period of time?

 

Or something else?

 

 

Debbie

 

 

[trq]

All of those questions are up to you. A session alone however won't keep a person logged in after they have closed there browser.

[phpSensei]

As Thorpe mentioned,

 

 

and If you are really concerned about sessions I would read on session hijacking, and some other security issues that might arise.

 

http://phpsec.org/projects/guide/4.html

 

and Our site PHPfreaks has some very good articles on it.

 

 

[doubledee]

All of those questions are up to you. A session alone however won't keep a person logged in after they have closed there browser.

 

How long does Session data last?

 

I thought the whole idea is that it survives from page to page and if the user closes their browser as well? 

 

And how does the life vary if a Session using a Cookie?

 

 

Debbie

 

[trq]

By default, a session will last 20 minutes without user activity or until the browser closes. This can be changed in the php.ini

 

And how does the life vary if a Session using a Cookie?

 

All sessions use cookies unless you have that functionality disabled (not recommended) in which case you need to pass the session id around through the url.

 

You use cookies to persist a login any longer than described above.

[phpSensei]

How long does Session data last?

 

I thought the whole idea is that it survives from page to page and if the user closes their browser as well? 

 

And how does the life vary if a Session using a Cookie?

 

 

Debbie

 

I just answered your questions, I don't understand what is so confusing about it. Just have a read and grasp the paradigm of sessions/cookies.

[doubledee]

By default, a session will last 20 minutes without user activity or until the browser closes. This can be changed in the php.ini

 

And how does the life vary if a Session using a Cookie?

 

All sessions use cookies unless you have that functionality disabled (not recommended) in which case you need to pass the session id around through the url.

 

You use cookies to persist a login any longer than described above.

 

So if I store something in a Session from Page A, and the user closes their browser window, then the data in the Session is lost forever?

 

 

Debbie

 

[trq]

Yes.

[gizmola]

I wrote a post previously talking about a number of these questions -- might help a bit:  http://www.phpfreaks.com/forums/index.php?topic=223785.msg1579550#msg1579550

 

When people want to have a session last beyond the life of a browser (as in a "remember me" feature) one typical way of implementing that is to create a separate cookie that can be used instead of logging someone in.  This of course is a very dangerous feature if implemented incorrectly, because if someone figures out what you're doing, they could craft a cookie to log them into your system without the need for a name/password combination.

 

So one way of doing that is to generate a hash value that is guaranteed unique, and store that in the user row, while at the same time pushing it as a cookie.  Your code would then need to handle this cookie if it exists, when a user is not in a "logged in state" and basically, do the same processing that is done on a login.

 

 

[doubledee]

Yes.

 

That must not be true, because when I set

 

<?php
// Set article location.
$_SESSION['returnToPage'] = $_SERVER['PHP_SELF'];
?>

 

in "article1234.php" and then I close the browser and then check my email and click on the e-mail link and go to "activate.php" and then click on a Log In ink and go to "log_in.php" and log in I am redirected to "article1234.php".

 

This means this code:

 

// Redirect User.
if (isset($_SESSION['returnToPage'])){
header("Location: " . $_SESSION['returnToPage'] . '#returnHere');
}else{
// Take user to Home Page.
header("Location: " . WEB_ROOT . "index.php");
}

 

in "log_in.php is working and is using a value that apparently persists in the $_SESSION.

 

 

Debbie

 

 

[phpSensei]

Yes.

 

That's not always true, it depends how the sessions are being handled.

[doubledee]

Yes.

 

That's not always true, it depends how the sessions are being handled.

 

So what is happening in the scenario I described??

 

Thorpe?

 

 

Debbie

 

 

[gizmola]

As stated in my post, by default php's session "cookie" is a "session cookie".  You can override the default, but thorpe is correct.  The configuration can be altered of course, and in this case perhaps it has been:  http://www.php.net/manual/en/function.session-get-cookie-params.php

[phpSensei]

Debbie try it out...

 

print_r(session_get_cookie_params());

 

It prints out this format

 

Array
(
    [lifetime] => 0
    [path] => /
    [domain] => 
    [secure] => 
    [httponly] => 
)

[doubledee]

As stated in my post, by default php's session "cookie" is a "session cookie".  You can override the default, but thorpe is correct.  The configuration can be altered of course, and in this case perhaps it has been:  http://www.php.net/manual/en/function.session-get-cookie-params.php

 

I'm not following you guys...

 

 

Debbie

 

 

[phpSensei]

It means by default settings of your server destroy the sessions and session cookie, however the cookie that hold's the session's ID can have a longer life span through making some settings changes in the php.ini, hence the session LIVES!

 

you follow? This default can be overridden, so use the code on my post above.

[doubledee]

Debbie try it out...

 

print_r(session_get_cookie_params());

 

I didn't see this response before.

 

Where do you put that code?

 

 

 

It prints out this format

 

Array
(
    [lifetime] => 0
    [path] => /
    [domain] => 
    [secure] => 
    [httponly] => 
)

 

And what does that mean?

 

It implies the session should die when you close the browser?

 

 

Debbie

 

 

[phpSensei]

Anywhere on your server,just make a file called test.php, the lifetime key determines the lifetime of the cookie, in seconds.

[doubledee]

Anywhere on your server,just make a file called test.php, the lifetime key determines the lifetime of the cookie, in seconds.

 

So if the "lifetime key" is zero then why is my session/cookie persisting after I close my browser window?

 

 

Debbie

 

 

[phpSensei]

The only other thing I could think of is session.use_trans_sid and session.use_only_cookies...

 

 

[doubledee]

The only other thing I could think of is session.use_trans_sid and session.use_only_cookies...

 

So let's pretend that my Session/Cookie should be dying off sooner than they are.

 

And let's say that my design isn't as reliable as it could be.

 

So what is a more sophisticated way to capture the article's current file name and path, assign it to a user who is NOT a Member yet - and thus not in my database - and store that original page permanently so that if they close their browser, reboot, etc that when they eventually log in after becoming a Member that they go back to where they were?!

 

Honestly, if they quit during registration, or after registration, or after activation, then that is their problem...  (I mean this is a "courtesy that I'm providing and not something crucial that is linked to a Member like a Shopping Cart?!  But still, I'd like to improve my design somewhat...)

 

 

 

Debbie

 

 

[phpSensei]

Debbie,

 

There's three ways of doing this, the Session method which may or may not expire, or you can track a guest's location in database table. The one thing a logged in or logged out user has in common with his guest status is his IP ADDRESS, you can store the IP ADDRESS of the guest and keep track of the last location they were at by updating a database table, and once they login get the user's ip address and find a match in the database which stores the guest's last location with the same IP Address in that table, then use a redirect. Also now, when a user signs up take his IP address also.

 

an example would be

 

Guest Table

----------------

ID - 1

ip_address - 192.168.2.1

last_location - index.php

 

ID - 2

ip_address - 192.168.2.3

last_location - about.php

 

User Table

-------------

ID-1

ip_address - 192.168.2.1

username - John

 

ID-1

ip_address - 192.168.2.3

username - Chris

 

There's  1 more method which requires saving the session's data inside a file or a database...

 

http://www.tonymarston.net/php-mysql/session-handler.html

http://shiflett.org/articles/storing-sessions-in-a-database

 

[doubledee]

Debbie,

 

There's three ways of doing this, the Session method which may or may not expire, or you can track a guest's location in database table. The one thing a logged in or logged out user has in common with his guest status is his IP ADDRESS, you can store the IP ADDRESS of the guest and keep track of the last location they were at by updating a database table, and once they login get the user's ip address and find a match in the database which stores the guest's last location with the same IP Address in that table, then use a redirect. Also now, when a user signs up take his IP address also.

 

I'm sorry, but that is less reliable than what I have been doing.

 

What happens when you have 10 users all with the same IP addy?

 

Or when you have someone like me who uses public free wi-fi sites?

 

I came up with a better work-flow last night an will post question today of how to implement it.

 

Thanks,

 

 

 

Debbie