A question about PHP and Sessions

8 replies
Hello fellow developers, programmers and warriors,

I got a question that has regards with the sessions that are stored on the server. There are a few things that kinda bug me so if any of you can answer I'd be grateful.

So here is my question: do the sessions that are created get deleted after some time, and what time would that be, also if they get deleted how can i use a cookie to retrieve a session from a user that came several weeks ago to the site so he does not have to log in again... if i set the cookie value to the PHPSSID value then once i retrieve it again the session might not be there at all to make the user get logged in.

My question is how is that usually solved? do you reset the cookie and set the session again or is it possible to have the same session continue after such a long time?
#php #question #sessions
  • Profile picture of the author css
    If you are really using PHP(BB3?) then you must have seen all the cookie and session controls in the ACP. If not go look it up.
    {{ DiscussionBoard.errors[1524761].message }}
  • Profile picture of the author TheGodfather
    i think you misunderstood me...

    I'm writing my own code and my own site...

    and as for the looking up part.. I looked and couldn't find a decent answer to this... this is why I'm asking here...
    Signature

    TheGodfather

    Perception is reality

    {{ DiscussionBoard.errors[1524793].message }}
  • Profile picture of the author Voon
    Originally Posted by TheGodfather View Post

    So here is my question: do the sessions that are created get deleted after some time, and what time would that be,
    After user closed their browser or session expired (set from your php.ini) it is treated as garbage and waiting for garbage collector to cleanup the file. PHP handled on the backend.

    Originally Posted by TheGodfather View Post

    also if they get deleted how can i use a cookie to retrieve a session from a user that came several weeks ago to the site so he does not have to log in again... if i set the cookie value to the PHPSSID value then once i retrieve it again the session might not be there at all to make the user get logged in.

    My question is how is that usually solved? do you reset the cookie and set the session again or is it possible to have the same session continue after such a long time?
    Here's simple example I used, hope to clear things up.

    Eg. If a user logged in with 'remember me' option turned on, I would create a chocolate.. erm cookie to hold their username and md5(password) data, along with desired expiry date. When they come back, I would just verify again username and md5 string. If every thing's good, log them in with new session.

    Notes:
    1. You don't need to continue same PHP session after they come back. Just create a new session if data is matched. The session I store is merely login data and to help verify across web pages.

    2. Why I store username in cookie is because I could display their username on my page when they return. Of coz you can use User ID if you prefer.

    3. MD5 is one way encryption, so I'm less afraid people would reverse engineer it. But don't store plain password. Cookie is a text file that user can access. Base64 it if you like.

    4. You control how long the cookie expire. If expired, cookie will be deleted, and it will failed your authentication and thus user have to re-login.

    5. My answer above is just for reference only to explain my concept on how to deal with this kind of problem. I suggest google more for more secure way to implement this.

    Hope this helps.
    Signature

    .

    {{ DiscussionBoard.errors[1525484].message }}
  • Profile picture of the author TheGodfather
    thanks this explained some concepts, one thing thou... how do you add more then one info to the cookie? I taught they are meant to hold only one value...

    just for the record i'm using the sha() function that provides 128 bit one way encryption... this is as safe as i can go online... if it was up to me i'd use 4096 bit encryption
    Signature

    TheGodfather

    Perception is reality

    {{ DiscussionBoard.errors[1526028].message }}
    • Profile picture of the author Voon
      Originally Posted by TheGodfather View Post

      thanks this explained some concepts, one thing thou... how do you add more then one info to the cookie? I taught they are meant to hold only one value...
      Well, HomeComputerGames gives a good example.

      Originally Posted by TheGodfather View Post

      just for the record i'm using the sha() function that provides 128 bit one way encryption... this is as safe as i can go online... if it was up to me i'd use 4096 bit encryption
      It's nice to have strong encryption algorithm in place. One thing though, stronger encryption not necessary means better security. Most hacker not going to beat that encryption. However they would look for other easy vulnerable like SQL injection. So, proper validation helps (eg. htmlspecialchars).
      Signature

      .

      {{ DiscussionBoard.errors[1527664].message }}
  • Profile picture of the author HomeComputerGames
    A cookie array may be what you want:
    PHP: setcookie - Manual

    setcookie("cookie[three]", "cookiethree");
    setcookie("cookie[two]", "cookietwo");
    setcookie("cookie[one]", "cookieone");

    // after the page reloads, print them out
    if (isset($_COOKIE['cookie'])) {
    foreach ($_COOKIE['cookie'] as $name => $value) {
    echo "$name : $value <br />\n";
    }
    }

    Signature

    yes, I am....

    {{ DiscussionBoard.errors[1526483].message }}
  • Profile picture of the author TheGodfather
    I have managed to come up with a script that solves my problems, i have managed to eliminate the sessions completely out of use and have managed to maintain security. All data is encrypted and the user can login after several months of absence with out any problems.

    i'm currently in the phase of adding extra functionality to the script, who knows i might just sell it and make a fortune

    Thanks for all your help, together you have all helped me to group all that knowledge and compress it into an out-of-the-box idea

    Thanks guys
    Signature

    TheGodfather

    Perception is reality

    {{ DiscussionBoard.errors[1527867].message }}
    • Profile picture of the author Voon
      Originally Posted by TheGodfather View Post

      who knows i might just sell it and make a fortune
      aha.. I sense commission..
      Signature

      .

      {{ DiscussionBoard.errors[1528000].message }}

Trending Topics