Jump to content

Trouble understanding $_SESSION


wavez

Recommended Posts

I've taken and redesigned a whole bunch of example and tutorial code pieces for my small project. I have a MySQL database working now (I realized it's easier than using flat files) and I need to get user accounts working. I'm having a lot of trouble understanding how PHP sessions work.

 

Assuming a user has logged in and is now clicking on links and browsing around, on each page load, don't I need to check the session variable to load his username, and also check that his session is current? How do I check that the session is current? None of the examples / tutorials that I'm finding online even mention how my code is to know which user the page is being served to. Does session_start() have a magic feature that makes this check unnecessary?

 

I know I can use cookies, but I figured I would code it without since some articles seem to indicate that cookies don't have to be required to support typical user session functionality.

Link to comment
Share on other sites

When is the session destroyed? Does it have a timeout feature? How do I know, upon page request, if the user HAD an active session but it timed out (versus the situation where the user requested my page but didn't have an active session yet that day)?

Link to comment
Share on other sites

Note:If you are not experienced with session programming it is not recommended that you use sessions on a website that requires high-security, as there are security holes that take some advanced techniques to plug.

 

On second thought, maybe it is easier and more expedient for me to store a hash key in the DB for each user account and just compare that against a matching cookie upon every page load. That means querying my DB on every request though.

Link to comment
Share on other sites

None of the examples / tutorials that I'm finding online even mention how my code is to know which user the page is being served to. Does session_start() have a magic feature that makes this check unnecessary?

 

When you start a session, a unique ID is generated and assigned to that user by way of setting a cookie.  The name of this cookie is set by the session_name() function, and defaults to PHPSESSID.

 

Whenever the user visits a page, it's browser sends this cookie back to the server.  When you call session_start, it first checks to see if this cookie value exists.  If it does, it resumes that session by loading the data associated with that session out of a file.  If no cookie value is sent then it starts a new session by generating an ID, as mentioned above.

 

This cookie value is how you know which user is requesting the page.  All this typically happens behind the scenes.  You can customize the process if desired but usually you do not need to.

 

 

I know I can use cookies, but I figured I would code it without since some articles seem to indicate that cookies don't have to be required to support typical user session functionality.

 

You can pass the session id in the URL instead of as a cookie value, however this is not recommended as users may copy/paste a url to your site which contains the session id and send it to another person.  This other person would then resume the first users session, even though they shouldn't.  This is known as session hijacking.  There are ways to prevent it (and you should even when using cookies) but by not passing the ID around in the url you go a long way toward preventing it.

 

When is the session destroyed? Does it have a timeout feature? How do I know, upon page request, if the user HAD an active session but it timed out (versus the situation where the user requested my page but didn't have an active session yet that day)?

 

PHP cleans up the session data files periodically through a garbage collection process.  When the data file is removed this way, the session is destroyed.  You can also manually destroy it, such as on a logout page using session_destroy().  These configuration directives control this process:

session.gc_probability

session.gc_divisor

session.gc_maxlifetime

 

The gc_maxlifetime is the duration in seconds before the session is considered inactive and cleaned up.  It defaults to about 20 minutes.  When checking inactivity it compares the duration between when the session was last used and the current time.  The last used time is the last time a request was sent using that session id.

 

You don't really know if the session is timed out.  It just disappears.  If the user's session timed out, say from them going out to lunch, and php cleans up the session file, the next time they load a page it will be as if they are starting a brand new session.

 

 

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.