Jump to content

Session


dalawh

Recommended Posts

I was wondering how sessions worked and how similar are they to cookies. Is there a set indexes for sessions or do you define your own? How do sessions look like? Are they like cookies, where each cookie is like a file with a bunch of variables? Where are the sessions stored?

  • Like 1
Link to comment
Share on other sites

A session is like a cookie that gets stored on the server. With a regular cookie, all of the data in the cookie is saved on the client. You can change your cookies manually and send them to the server with the changed values. With a session, the only thing the client stores is the session ID. It sends the session ID to the server which looks up the session data to use for that request. You can't manually change the session data on the server, only the server can. Other than that, in PHP the $_SESSION array is just like a regular array that you can use like any other array. The php.ini file contains options for how to store sessions. The default is to store them in files in the server's temp directory. You can override the session handlers if you want to implement custom storage, like storing them in a database.

Link to comment
Share on other sites

So is there any real reason to use a session? Why not just use a database instead since they both require the server. The session is stored somewhere on the server, which can be found in the php.ini file and the session indexes are defined in the php.ini file. So the session variables, http://w3schools.com/php/php_sessions.asp, were already pre-set in the php.ini and vary from case to case?

Link to comment
Share on other sites

You use a session to store user data that you don't want the user to be able to edit. Things like the ID of the user who is logged in, whether they are an admin, temporary data relating to their browsing session, etc.

the session indexes are defined in the php.ini file
No they aren't. The name of the cookie to use for the session ID is in php.ini, and a few other options relating to how sessions are handled. These are the configuration options relating to sessions: http://www.php.net/manual/en/session.configuration.php Other than that, like I said, the $_SESSION array is like any other array in PHP except it is super-global, that's the only difference. You can use any array function with $_SESSION.
Link to comment
Share on other sites

a session cookie's lifetime is by default till the browser did not get closed or closing the page. in web application your server does not know who you are. they keep track via session. session get you recognised through a active session in various pages of sites.php.ini stores the setting of session that how will be session handled. session ids are different for different user so they will point to different data sets for different user

Link to comment
Share on other sites

Session allows you to associate the data with a specific site visitor.
I know that, but so does a database. The SID is stored as a cookie and using that cookie, it finds the specific session on the server, so what I tried to ask was why not just use a database instead?
You use a session to store user data that you don't want the user to be able to edit. Things like the ID of the user who is logged in, whether they are an admin, temporary data relating to their browsing session, etc. No they aren't. The name of the cookie to use for the session ID is in php.ini, and a few other options relating to how sessions are handled. These are the configuration options relating to sessions: http://www.php.net/m...nfiguration.php Other than that, like I said, the $_SESSION array is like any other array in PHP except it is super-global, that's the only difference. You can use any array function with $_SESSION.
Can't I use a database instead, which won't allow a user to edit the information like a session? If so, why not just use a database over a session? I am not looking for the index of the cookie to be used for the session. I am wondering what were the indexes of the session. Are they self defined or are they like cookies, where they are pre-set?
a session cookie's lifetime is by default till the browser did not get closed or closing the page. in web application your server does not know who you are. they keep track via session. session get you recognised through a active session in various pages of sites.php.ini stores the setting of session that how will be session handled. session ids are different for different user so they will point to different data sets for different user
Your first sentence confused me. Were you trying to say that the session's cookie lifetime is alive until the browser is closed or closing the tab or going to a different page? Does the cookie get deleted when you close one of the above three options? How long does the session stay alive? After the session closes, and the user returns, it creates a new ID? Is the new ID something that has never been used or does it at one point overlap? Since the server doesn't know who you are, it uses a cookie to match it with the session to figure who you are, can't you just use a cookie and a database instead?
Link to comment
Share on other sites

Database access is slower than sessions because with sessions the session data is stored on the local server while the database is usually on a separate server. Either way, some people program their own session engines so that they can have more control over it.

Link to comment
Share on other sites

Can't I use a database instead, which won't allow a user to edit the information like a session? If so, why not just use a database over a session?
You're just talking about how it stores the data, not whether a session is useful. If you want to store it in a database then you can use a custom session save handler to do that. There's no reason to reinvent the entire session process (starting, reading, writing, garbage collection, etc) just because you want to save your data in a database instead. Just use a custom session save handler and save your data wherever you want to. Here's an example: http://w3schools.invisionzone.com/index.php?showtopic=9731
I am wondering what were the indexes of the session. Are they self defined or are they like cookies, where they are pre-set?
When you say "index", I'm assuming you're referring to the index of the arrays in PHP. Like with cookies, you set your own indexes in the session array. If you're talking about the options to use for the cookie, there are functions and configuration options where you can specify the options for the session cookie, like path, host, lifetime, etc.
Link to comment
Share on other sites

Your first sentence confused me. Were you trying to say that the session's cookie lifetime is alive until the browser is closed or closing the tab or going to a different page?
Yes if you close the page or tab the session will be lost
How long does the session stay alive?
It is 15 minutes by default. but it is configurable.
and the user returns, it creates a new ID? Is the new ID something that has never been used or does it at one point overlap?
if you lookn into the tutorials you will find a function session_start() it is what recive the session id (via cookie) if session id matches it resume to that otherwise it creates new one.
Since the server doesn't know who you are, it uses a cookie to match it with the session to figure who you are, can't you just use a cookie and a database instead?
Yes you can store it in database but that is not common behaviour of session handling. you have to override its behaviour using session_set_save_handler() function http://php.net/session_starthttp://php.net/session_set_save_handler
Link to comment
Share on other sites

Guest So Called
I know that, but so does a database. The SID is stored as a cookie and using that cookie, it finds the specific session on the server, so what I tried to ask was why not just use a database instead?
With almost any kind of programming including web programming there are vast varieties of ways to do the same thing. As a programmer it's your job to find the most efficient and effective way to accomplish your job. I can't think of anything you could do with a session (and session cookie) that you couldn't do with a database (and a cookie). Which way would be easier? That's hard to say not knowing the specifics of the application.
Link to comment
Share on other sites

When you say "index", I'm assuming you're referring to the index of the arrays in PHP. Like with cookies, you set your own indexes in the session array. If you're talking about the options to use for the cookie, there are functions and configuration options where you can specify the options for the session cookie, like path, host, lifetime, etc.
That somewhat sounds like what I mean. Just like how cookies only contain these 7 variables: http://www.php.net/manual/en/function.setcookie.php, I wanted to know if sessions contained certain variables. If it did can you link me because I can't seem to find it.
Yes if you close the page or tab the session will be lost It is 15 minutes by default. but it is configurable.
Wait... which is it? The session closes when you close the window/tab and it closes if the window/tab hasn't been visited for 15 minutes?
if you lookn into the tutorials you will find a function session_start() it is what recive the session id (via cookie) if session id matches it resume to that otherwise it creates new one.
So even after the session closes, the cookie of the SID doesn't get deleted? All of the sessions gets saved on the server even after it closes? When does it permanently get deleted?
Yes you can store it in database but that is not common behaviour of session handling. you have to override its behaviour using session_set_save_handler() function http://php.net/session_starthttp://php.net/sessi...et_save_handler
Oh okay.
Link to comment
Share on other sites

Guest So Called

Those "seven variables" mean nothing. You can encode whatever you want in your cookie ("contents"). You can have multiple cookies. Session cookies (and sessions) are what they are. When you close your browser the session is gone, as is the session cookie. You can configure the maximum session lifetime. My own shared hosting is set to 1440 seconds (about 24 minutes) but I can reconfigure that. You can use a persistent cookie to identify a visitor and relate them to anything you want stored in your database. You can add your own custom values to the $_SESSION array. You are not restricted to default parameters.

Link to comment
Share on other sites

Those "seven variables" mean nothing. You can encode whatever you want in your cookie ("contents"). You can have multiple cookies. Session cookies (and sessions) are what they are. When you close your browser the session is gone, as is the session cookie. You can configure the maximum session lifetime. My own shared hosting is set to 1440 seconds (about 24 minutes) but I can reconfigure that. You can use a persistent cookie to identify a visitor and relate them to anything you want stored in your database. You can add your own custom values to the $_SESSION array. You are not restricted to default parameters.
Even if you can encode everything in the content, those seven variables do mean something. I was wondering if sessions had the same and if they did, can you link me to them. If a session closes when the page closes, the 15 minutes is unrelated to it? So even after the session closes, the cookie of the SID doesn't get deleted? All of the sessions gets saved on the server even after it closes? When does it permanently get deleted? Edited by dalawh
Link to comment
Share on other sites

Wait... which is it? The session closes when you close the window/tab and it closes if the window/tab hasn't been visited for 15 minutes?
anyone of it Which will occur first. cookie is just some name value pair which are stored in client computer. the 7 parameter has different purpose which is stated in the manual.
So even after the session closes, the cookie of the SID doesn't get deleted? All of the sessions gets saved on the server even after it closes? When does it permanently get deleted?
It does not matter if session cookie exist or not in client machine, if the session data itself get deleted from the server. there will not data there what session cookie can point to. one case is when session data in server be deleted automaticaly by session garbage collector after certain amount of time (15 minutes by default) or any implict deletion of the session file or database. GC check for which session id does not get updated in 15 minutes and delte those. at that moment session cookie may be still there as you did not closed the browser but as there is no data in server you lost your session. another case when browser is closed or tab is closed session cookie will be deleted but session data in server still may exist which will be auto deleted by GC after specified amount of time. as that time you dont have the session cookie you lost your session.
Link to comment
Share on other sites

Guest So Called

I meant the seven variables mean nothing as variables that you can store data in, except the one called 'value.' The other ones set things like its name, when the cookie expires, etc. The maximum session lifetime can be set in your php.ini. I think it's session.gc_maxlifetime. That's as long as the server will save the session data. When the browser is closed the session cookie it was using disappears. As far as the browser is concerned the session is over.

Link to comment
Share on other sites

It doesn't matter. The only thing that matters is that when you read data it returns the same thing that it did when you wrote the data. If you look at the documentation for session_set_save_handler then you can see in the write function it takes a session ID and a string of data. PHP builds that data before writing it to the session. When it reads the session it reads the entire data, and again PHP breaks that up and rebuilds the session. It's not important what format the data is in, but if you want to implement the database session handler then you can look in the database and see for yourself what it saved.

Link to comment
Share on other sites

That somewhat sounds like what I mean. Just like how cookies only contain these 7 variables: http://www.php.net/m...n.setcookie.php, I wanted to know if sessions contained certain variables. If it did can you link me because I can't seem to find it.
Get your terminology straight, as your questions are starting to become confusing.The setcookie() function only contains these 7 arguments (sometimes called "parameters") that influence the cookie given to the browser by PHP.The value of any argument of any function may be a variable, a constant, a literal or the return value of a function.The session cookie is given to the browser at the start of a session, and is given back to the server, by the browser, at subsequent requests (like any other cookie). The value of the session cookie is a session ID. Upon calling session_start(), PHP reads the session ID in the session cookie, if such a cookie was sent. Every session ID is associated with session data. The session data is stored on the server. The client stores only the session cookie.By default, the session data lasts up to 1440 seconds or 24 minutes (according to what the PHP manual is saying about the current version; maybe this 15 minute thing was true once upon a time, I don't know), but this can be set to a different time in php.ini.By default, the session cookie lasts up until the user closes their browser, but this can be configured otherwise in php.ini or by calling the session_set_cookie_params() function with appropriate values for its arguments.There is a lot going on with sessions, so you need to know your terms before you can grasp not only the "what", but also the "why". If you don't understand my explanation above, please point to a specific term (any of the bold stuff) so that we can clarify that further.
Link to comment
Share on other sites

It doesn't matter. The only thing that matters is that when you read data it returns the same thing that it did when you wrote the data. If you look at the documentation for session_set_save_handler then you can see in the write function it takes a session ID and a string of data. PHP builds that data before writing it to the session. When it reads the session it reads the entire data, and again PHP breaks that up and rebuilds the session. It's not important what format the data is in, but if you want to implement the database session handler then you can look in the database and see for yourself what it saved.
The reason I asked about the format is because I wanted to know what type of data it stores that way I know what I can use it for.
Get your terminology straight, as your questions are starting to become confusing. The setcookie() function only contains these 7 arguments (sometimes called "parameters") that influence the cookie given to the browser by PHP. The value of any argument of any function may be a variable, a constant, a literal or the return value of a function. The session cookie is given to the browser at the start of a session, and is given back to the server, by the browser, at subsequent requests (like any other cookie). The value of the session cookie is a session ID. Upon calling session_start(), PHP reads the session ID in the session cookie, if such a cookie was sent. Every session ID is associated with session data. The session data is stored on the server. The client stores only the session cookie. By default, the session data lasts up to 1440 seconds or 24 minutes (according to what the PHP manual is saying about the current version; maybe this 15 minute thing was true once upon a time, I don't know), but this can be set to a different time in php.ini. By default, the session cookie lasts up until the user closes their browser, but this can be configured otherwise in php.ini or by calling the session_set_cookie_params() function with appropriate values for its arguments. There is a lot going on with sessions, so you need to know your terms before you can grasp not only the "what", but also the "why". If you don't understand my explanation above, please point to a specific term (any of the bold stuff) so that we can clarify that further.
That makes sense, but the bold made it a little hard to read. Quite distracting, but I see your point of using it. All that is left is to understand the data on the server. Can you explain that? Like what it looks like and what can be stored, etc.
Link to comment
Share on other sites

You mean the session data? With the default "file" session handler, there is one file per session ID (which is in fact named after the session ID), and its contents is one that fits a custom format ("custom" as in "defined by the PHP developers") that PHP understands. I believe the contents is equivalent to writing the output of serialize($_SESSION) into a file, but I'm not sure honestly.You don't need to ever bother with it anyway, as you'll only ever be working with the $_SESSION superglobal array. If you develop your own session handler (e.g. one that writes to a DB, per your earlier suggestion), you can make the data look in any way you like, as long as you define a way to both read and write it.

Link to comment
Share on other sites

You can store any scalar data in the session (integers, strings, booleans, etc), you can store arrays, you can store objects as long as you have the class defined before re-starting the session. You cannot store resources like a database connection or open file handle. Check the manual for other information, the table of contents is on the left. http://www.php.net/manual/en/intro.session.php

Link to comment
Share on other sites

Guest So Called

You can store any data you want in $_SESSION. For example, I have a script that generates a CAPTCHA image. It stores a hash of the CAPTCHA string in $_SESSION['hashed_code'] that the visitor will have to type in. My contact form processing script takes the string that the visitor typed in, hashes it using the same method as the CAPTCHA generator, then compares the result with the hash stored in $_SESSION['hashed_code']. If they match then the form is accepted. Also, the number of attempts is stored in the $_SESSION array, preventing what is called a dictionary attack (or just trying every possible combination of characters to overpower the CAPTCHA). When $_SESSION['number_of_attempts'] gets over a maximum the form refuses to accept any more input attempts. You can find what is stored in $_SESSION using print_r() or one of the other methods of displaying variables. It seems to me but I'm not certain because I haven't looked in a long time, but IIRC there isn't much of anything stored in $_SESSION by default. Just write a bit of test code and start it up and look for yourself. $_SESSION is a tool. It allows you to create a link between a specific visitor that lasts over multiple accesses of your site. Whatever your reason is for wanting to create a session will determine what you want to store there.

Edited by So Called
Link to comment
Share on other sites

I feel like I am being somewhat repetitive. I am sorry for taking up your time, but I like to get things straight and fully understood, which saves me time in the long run. I used to bs my way through before without understanding things and it only made things more complicated in the end. Please correct me if I am wrong. Each $_COOKIE has its own index ($_COOKIE['indexName']) aka the cookiesVLEqBR.pngand each index/cookie has its own file variables.Pus1Gj.pngI am trying to picture the same for the $_SESSION on the server side. I already understand the client side (cookie). Each $_SESSION has its own index ($_SESSION['indexName']) and each index has its own file variables. I am trying to figure out what file variables are listed under the indexes of $_SESSION. I hope this makes more sense. The index are defined in the php.ini. Each user has its own session cookie ($_COOKIE), which has a SID that matches with a $_SESSION on the server. Where is that SID stored in the $_SESSION? Is it a file variable stored under all the indexes of the $_SESSION or does it have its own index? I can view my cookies using chrome, but how can I view my sessions?

Edited by dalawh
Link to comment
Share on other sites

Guest So Called

The qualities you named are client side qualities! You can see them even in PHP sessions, just look at your cookies right now for this site, hint: PHPSESSID. As a site visitor these are all the variables that you can see. As the site author you can write code that will tell you anything else in the $_SESSION array. This stuff is kept on the server. You can't view that unless it's your server or unless you write code that displays that to visitors. As a site visitor the only thing you will see that makes a session cookie different than any other cookie is that it expires at end of session. That is one of the reasons why they are called session cookies.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...