For example, if a user just closes the browser window without logging out (the PHP script unsetting and destroying the session and expiring the session cookie), by default the cookie used to store the session ID will have expired the next time the user opens the browser so s/he won't have access to the same session.
But what happens with the file on the server side that was used to save the session data and what happens with the session data itself?
Will it still be available?
There are parameters called session.gc_divisor and session.gc_probability that you can configure in php.ini or in the .htaccess.
These parameters give the probability (gc_probabiltiy/gc_divisor) to execute the garbage collection of the sessions at every request.
The garbage collection is a process whick check if the last modification of the session file is older than session.gc_maxlifetime and remove it if it is !
So yes, the data are still available for a while on your server.
Related
According to Where are $_SESSION variables stored?: "Usually the session-id is stored in a cookie, but it can also be appended to urls". Once I read that, I asked myseld: so, why is it said that the session-id is deleted when closing the browsers window if it is stored in a cookie?
Then, after Googling a little bit more about it, I found that there are two different types of cookies: session cookies and persistent cookies.
I guess that the session-id is stored in a session cookie, but: beyond the name evidence, why is a session stored in a session cookie and not in a persistent cookie? What is the need of creating a new session-id every time the browser is opened? Why don't re-use it?
There are many reasons you store sessions in session cookies. One case is public computers: if the previous user has logged into their bank account at the library to pay bills you don't want the next user to be able to log into that session by just looking at the History log in the browser. Being sure that the session is gone by closing the browser alleviates this.
You can also use persistent cookies, and many do too, such as Gmail, but what is then important is to set an expiration time that is not too long. Otherwise, if someone gets hold of the session id they can use that forever. Usually the server will send you a new valid session id some minutes before the next goes out to keep your session alive.
"A session once created only get expires"
I mean a session is created for every user. But when the user closes the browser the session cookie gets destroyed and so the session (which is even now in the session store) becomes of no use.
These sessions keeps on accumulating in the session store until they expires themselves.
Please correct me if i am wrong.
Also is there a way to clear the session when the user closes the browser?
Thanks for help
What are the different ways of maintaining session in a browser?
Consider a scenario;
I am browsing a secure site in Firefox and the browser crashes. Now when I open the browser again and I do Restore tabs, my previous session is restored back ? Is that handled automatically by the browser OR is it code-based ?
Also can we control session based on tab close vs window close, etc
Is there any connect between maintaining the session at server vs having the same at client side?
What are the different ways of maintaining session in a browser?
Different ways to maintaining sessions are :-
Cookies ( Most Standard way )
Url Rewriting
Html Forms hidden fields
Consider a scenario; I am browsing a secure site in Firefox and the
browser crashes. Now when I open the browser again and I do Restore
tabs, my previous session is restored back ? Is that handled
automatically by the browser OR is it code-based ?
It is handled by browser automatically if it was cookie based, other wise you will manage that.
Also can we control session based on tab close vs window close, etc
On server you can control session just by time, mean when it will invalid, but if you want to do something that will invalid session when close tab then according to me you can bind on close event in javascript and then delete the cookie that was used to manage the session, PHPSESSION ( in php's case )
Is there any connect between maintaining the session at server vs
having the same at client side?
Yup :)
when you create a session actually you are sending a cookie.
Think you are coding in php, and you create a session, now what happens is: a file will be created on the server (file is the default way to handle session in php but you can also change that) and a unique id will also create on server that will represent that session, think you create a session so a file will created with name sjflsj3lrh324l2hjlskdjfl3hl.session and a unique id will also created ex:- sjflsj3lrh324l2hjlskdjfl3hl.
Now when you store anything in session you actually are storing that in this file, and when you will send response to browser, you will also send a cookie on browser and the cookie value will be this id. So next time when you reopen that web, browser will first check if there was any cookie received from this domain before. If yes, then send that with request, and then on server php will check if request contains any cookie with it. If so, then it will check if that name file exists, and if exists mean there was a session. It will then open that file and all variables values that was saved in it will be restored in php variables.
I have a quick question about php sessions. If I want a session to last for on month (or until a user explicitly logs out) I change the following php.ini settings: session.gc_maxlifetime = 2592000 and session.cookie_lifetime = 2592000 from their defaults of 1440 and 0 respectively. Correct?
Thanks.
session.cookie_lifetime of 0 will keep the cookie till the browser restarts (basically for the entire session).
Setting your session.gc_maxlifetime to such a high value will mean you will have many stale sessions on your server and this might be a issue if you have large numbers of sessions - typically sessions are stored in the system's /tmp folder. When this folder, typically on *nix machines, fills up it could cause problems on the machine - processes start locking up as they fail to create temporary files for whatever reason. (You can change the session.save_path to something other than /tmp so you don't have this issue - especially on shared hosts).
Someone, though, with more experience in server configurations, may know that there are other timeouts like Apache and TCP settings that may trump this value no matter how high you create it.
I believe what you're basically asking is for a Remember Me feature that will allow someone to log in without having to remember their Username/Password and remember the exact state (1 month session).
The Remember Me feature can be implemented with a rotating authentication cookie that is set to the next token in a known series based on the user's login credentials.
The 1 month session feature can be implemented by storing the session's state in a persistent cache (file cache, database, something more elaborate like Toyko Tyrant).
If what you are asking for is a 'Remember Me' the simplest solution is:
Once a user log-in successfully, you create a random hash and store it in a cookie (on user browser) and in the database (joined to the userid)
So when the user call your script first you check the hash, if the hash is present in the databse you automatically login without asking username/password, otherwise you'll ask user/password
In the first option you "bypass" login because the hash identifies the user.
If the user explicitly logout from your site simply delete the session and reset the user hash (on db side)...
Using this method you can also set a timelimit, in cookie simply set the cookie duration, on db side add the timelimit and if a user login using an hash over the timelimit you do not allow the auth login :)
Hope this solve your question
Could anyone tell how to maintain a session (in PHP) so that the session contains are preserved and are accessible even after the browser is restarted.
In general a session expires with the closing of a browser, but I want the session NOT TO BE CLOSED so that the session data's can be accessed the next time the browser is used.
Thanks
There is a really good tutorial on howto save session contents to a database.
The only thing needed is to refill a new session with the saved data - there you go.
Store session data somewhere in a DB and keep session ID in an encrypted persistent HTTP-only cookie.