wavez Posted January 1, 2012 Share Posted January 1, 2012 I've taken and redesigned a whole bunch of example and tutorial code pieces for my small project. I have a MySQL database working now (I realized it's easier than using flat files) and I need to get user accounts working. I'm having a lot of trouble understanding how PHP sessions work. Assuming a user has logged in and is now clicking on links and browsing around, on each page load, don't I need to check the session variable to load his username, and also check that his session is current? How do I check that the session is current? None of the examples / tutorials that I'm finding online even mention how my code is to know which user the page is being served to. Does session_start() have a magic feature that makes this check unnecessary? I know I can use cookies, but I figured I would code it without since some articles seem to indicate that cookies don't have to be required to support typical user session functionality. Quote Link to comment Share on other sites More sharing options...
wavez Posted January 1, 2012 Author Share Posted January 1, 2012 I'm also trying to figure out if session_name() does or does not do something that I need. Quote Link to comment Share on other sites More sharing options...
wavez Posted January 1, 2012 Author Share Posted January 1, 2012 When is the session destroyed? Does it have a timeout feature? How do I know, upon page request, if the user HAD an active session but it timed out (versus the situation where the user requested my page but didn't have an active session yet that day)? Quote Link to comment Share on other sites More sharing options...
wavez Posted January 1, 2012 Author Share Posted January 1, 2012 Note:If you are not experienced with session programming it is not recommended that you use sessions on a website that requires high-security, as there are security holes that take some advanced techniques to plug. On second thought, maybe it is easier and more expedient for me to store a hash key in the DB for each user account and just compare that against a matching cookie upon every page load. That means querying my DB on every request though. Quote Link to comment Share on other sites More sharing options...
kicken Posted January 1, 2012 Share Posted January 1, 2012 None of the examples / tutorials that I'm finding online even mention how my code is to know which user the page is being served to. Does session_start() have a magic feature that makes this check unnecessary? When you start a session, a unique ID is generated and assigned to that user by way of setting a cookie. The name of this cookie is set by the session_name() function, and defaults to PHPSESSID. Whenever the user visits a page, it's browser sends this cookie back to the server. When you call session_start, it first checks to see if this cookie value exists. If it does, it resumes that session by loading the data associated with that session out of a file. If no cookie value is sent then it starts a new session by generating an ID, as mentioned above. This cookie value is how you know which user is requesting the page. All this typically happens behind the scenes. You can customize the process if desired but usually you do not need to. I know I can use cookies, but I figured I would code it without since some articles seem to indicate that cookies don't have to be required to support typical user session functionality. You can pass the session id in the URL instead of as a cookie value, however this is not recommended as users may copy/paste a url to your site which contains the session id and send it to another person. This other person would then resume the first users session, even though they shouldn't. This is known as session hijacking. There are ways to prevent it (and you should even when using cookies) but by not passing the ID around in the url you go a long way toward preventing it. When is the session destroyed? Does it have a timeout feature? How do I know, upon page request, if the user HAD an active session but it timed out (versus the situation where the user requested my page but didn't have an active session yet that day)? PHP cleans up the session data files periodically through a garbage collection process. When the data file is removed this way, the session is destroyed. You can also manually destroy it, such as on a logout page using session_destroy(). These configuration directives control this process: session.gc_probability session.gc_divisor session.gc_maxlifetime The gc_maxlifetime is the duration in seconds before the session is considered inactive and cleaned up. It defaults to about 20 minutes. When checking inactivity it compares the duration between when the session was last used and the current time. The last used time is the last time a request was sent using that session id. You don't really know if the session is timed out. It just disappears. If the user's session timed out, say from them going out to lunch, and php cleans up the session file, the next time they load a page it will be as if they are starting a brand new session. Quote Link to comment Share on other sites More sharing options...
wavez Posted January 1, 2012 Author Share Posted January 1, 2012 Thanks kicken. How do sessions function if the user disables cookies? Quote Link to comment Share on other sites More sharing options...
trq Posted January 1, 2012 Share Posted January 1, 2012 They generally don't function without cookies. Though you can pass the session id around through the url. Generally though, people are aware that disabling cookies breaks there own user experience on the web. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.