Jump to content

Questions about Sessions...

doubledee

By doubledee
in PHP Coding Help

 Share

Recommended Posts

doubledee Advanced Member

doubledee

Posted
Posted

Some questions about Sessions...

 

1.) Why is it that when I assign my file path to $_SESSION there seems to be no Cookie involved??

 

2.) Do I care that my Session is Cookie-less??

 

3.) How would I create a Cookie when creating a Session?

 

4.) How long does a Session last??

 

5.) Can a Session die prematurely??

 

Thanks,

 

 

 

Debbie

 

Link to comment
Share on other sites
phpSensei Advanced Member

phpSensei

Posted
Posted

Well Cookies are stored in the clients machine, whereas Sessions are saved on the server. Sessions do however still use cookies to hold a unique ID of the session stored for each user. Sessions are mostly a combination of server side cookies and client side cookies. So the cookie is already automatically created for you. You can even turn of the SID being made through the cookies and have it pass through the HTTP URL (this method has some draw backs)

 

so actually you can set the Session's lifespan on the server itself just use configure the session.gc_maxlifetime in the init settings. By default I believe its 25 minutes before a session is destroyed by the server itself. A session should have its cookie assigned to it.

 

Also I dont know what you ment by the last question.

Link to comment
Share on other sites
doubledee Advanced Member

doubledee

Posted
  • Author
Posted

Well Cookies are stored in the clients machine, whereas Sessions are saved on the server. Sessions do however still use cookies to hold a unique ID of the session stored for each user. Sessions are mostly a combination of server side cookies and client side cookies. So the cookie is already automatically created for you. You can even turn of the SID being made through the cookies and have it pass through the HTTP URL (this method has some draw backs)

 

so actually you can set the Session's lifespan on the server itself just use configure the session.gc_maxlifetime in the init settings. By default I believe its 25 minutes before a session is destroyed by the server itself. A session should have its cookie assigned to it.

 

Also I dont know what you ment by the last question.

 

I wasn't seeing a prompt from localhost to set a cookie.

 

Turns out I had an exception of "Allow" so even though I delete the Localhost cookie, Iw as never getting a new prompt to allow it so I din't know it was being set.

 

Related to the topic, should I ever Log-Out users?

 

Like after a Member adds a comment to my article, should I log them out?

 

Or should I log out people when they hit my Home Page?

 

Or after a certain period of time?

 

Or something else?

 

 

Debbie

 

 

Link to comment
Share on other sites
doubledee Advanced Member

doubledee

Posted
  • Author
Posted

All of those questions are up to you. A session alone however won't keep a person logged in after they have closed there browser.

 

How long does Session data last?

 

I thought the whole idea is that it survives from page to page and if the user closes their browser as well?  :confused:

 

And how does the life vary if a Session using a Cookie?

 

 

Debbie

 

Link to comment
Share on other sites
trq Prolific Member

trq

Posted
Posted

By default, a session will last 20 minutes without user activity or until the browser closes. This can be changed in the php.ini

 

And how does the life vary if a Session using a Cookie?

 

All sessions use cookies unless you have that functionality disabled (not recommended) in which case you need to pass the session id around through the url.

 

You use cookies to persist a login any longer than described above.

Link to comment
Share on other sites
phpSensei Advanced Member

phpSensei

Posted
Posted

How long does Session data last?

 

I thought the whole idea is that it survives from page to page and if the user closes their browser as well?  :confused:

 

And how does the life vary if a Session using a Cookie?

 

 

Debbie

 

I just answered your questions, I don't understand what is so confusing about it. Just have a read and grasp the paradigm of sessions/cookies.

Link to comment
Share on other sites
doubledee Advanced Member

doubledee

Posted
  • Author
Posted

By default, a session will last 20 minutes without user activity or until the browser closes. This can be changed in the php.ini

 

And how does the life vary if a Session using a Cookie?

 

All sessions use cookies unless you have that functionality disabled (not recommended) in which case you need to pass the session id around through the url.

 

You use cookies to persist a login any longer than described above.

 

So if I store something in a Session from Page A, and the user closes their browser window, then the data in the Session is lost forever?

 

 

Debbie

 

Link to comment
Share on other sites
gizmola Prolific Member

gizmola

Posted
Posted

I wrote a post previously talking about a number of these questions -- might help a bit:  http://www.phpfreaks.com/forums/index.php?topic=223785.msg1579550#msg1579550

 

When people want to have a session last beyond the life of a browser (as in a "remember me" feature) one typical way of implementing that is to create a separate cookie that can be used instead of logging someone in.  This of course is a very dangerous feature if implemented incorrectly, because if someone figures out what you're doing, they could craft a cookie to log them into your system without the need for a name/password combination.

 

So one way of doing that is to generate a hash value that is guaranteed unique, and store that in the user row, while at the same time pushing it as a cookie.  Your code would then need to handle this cookie if it exists, when a user is not in a "logged in state" and basically, do the same processing that is done on a login.

 

 

Link to comment
Share on other sites
doubledee Advanced Member

doubledee

Posted
  • Author
Posted

Yes.

 

That must not be true, because when I set

 

<?php
// Set article location.
$_SESSION['returnToPage'] = $_SERVER['PHP_SELF'];
?>

 

in "article1234.php" and then I close the browser and then check my email and click on the e-mail link and go to "activate.php" and then click on a Log In ink and go to "log_in.php" and log in I am redirected to "article1234.php".

 

This means this code:

 

// Redirect User.
if (isset($_SESSION['returnToPage'])){
header("Location: " . $_SESSION['returnToPage'] . '#returnHere');
}else{
// Take user to Home Page.
header("Location: " . WEB_ROOT . "index.php");
}

 

in "log_in.php is working and is using a value that apparently persists in the $_SESSION.

 

 

Debbie

 

 

Link to comment
Share on other sites
phpSensei Advanced Member

phpSensei

Posted
Posted

It means by default settings of your server destroy the sessions and session cookie, however the cookie that hold's the session's ID can have a longer life span through making some settings changes in the php.ini, hence the session LIVES!

 

you follow? This default can be overridden, so use the code on my post above.

Link to comment
Share on other sites
doubledee Advanced Member

doubledee

Posted
  • Author
Posted

Debbie try it out...

 

print_r(session_get_cookie_params());

 

I didn't see this response before.

 

Where do you put that code?

 

 

 

It prints out this format

 

Array
(
    [lifetime] => 0
    [path] => /
    [domain] => 
    [secure] => 
    [httponly] => 
)

 

And what does that mean?

 

It implies the session should die when you close the browser?

 

 

Debbie

 

 

Link to comment
Share on other sites
doubledee Advanced Member

doubledee

Posted
  • Author
Posted

The only other thing I could think of is session.use_trans_sid and session.use_only_cookies...

 

So let's pretend that my Session/Cookie should be dying off sooner than they are.

 

And let's say that my design isn't as reliable as it could be.

 

So what is a more sophisticated way to capture the article's current file name and path, assign it to a user who is NOT a Member yet - and thus not in my database - and store that original page permanently so that if they close their browser, reboot, etc that when they eventually log in after becoming a Member that they go back to where they were?!

 

Honestly, if they quit during registration, or after registration, or after activation, then that is their problem...  (I mean this is a "courtesy that I'm providing and not something crucial that is linked to a Member like a Shopping Cart?!  But still, I'd like to improve my design somewhat...)

 

 

 

Debbie

 

 

Link to comment
Share on other sites
phpSensei Advanced Member

phpSensei

Posted
Posted

Debbie,

 

There's three ways of doing this, the Session method which may or may not expire, or you can track a guest's location in database table. The one thing a logged in or logged out user has in common with his guest status is his IP ADDRESS, you can store the IP ADDRESS of the guest and keep track of the last location they were at by updating a database table, and once they login get the user's ip address and find a match in the database which stores the guest's last location with the same IP Address in that table, then use a redirect. Also now, when a user signs up take his IP address also.

 

an example would be

 

Guest Table

----------------

ID - 1

ip_address - 192.168.2.1

last_location - index.php

 

ID - 2

ip_address - 192.168.2.3

last_location - about.php

 

User Table

-------------

ID-1

ip_address - 192.168.2.1

username - John

 

ID-1

ip_address - 192.168.2.3

username - Chris

 

There's  1 more method which requires saving the session's data inside a file or a database...

 

http://www.tonymarston.net/php-mysql/session-handler.html

http://shiflett.org/articles/storing-sessions-in-a-database

 

Link to comment
Share on other sites
doubledee Advanced Member

doubledee

Posted
  • Author
Posted

Debbie,

 

There's three ways of doing this, the Session method which may or may not expire, or you can track a guest's location in database table. The one thing a logged in or logged out user has in common with his guest status is his IP ADDRESS, you can store the IP ADDRESS of the guest and keep track of the last location they were at by updating a database table, and once they login get the user's ip address and find a match in the database which stores the guest's last location with the same IP Address in that table, then use a redirect. Also now, when a user signs up take his IP address also.

 

I'm sorry, but that is less reliable than what I have been doing.

 

What happens when you have 10 users all with the same IP addy?

 

Or when you have someone like me who uses public free wi-fi sites?

 

I came up with a better work-flow last night an will post question today of how to implement it.

 

Thanks,

 

 

 

Debbie

 

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.