Jump to content

session start


jimfog

Recommended Posts

You need to set the session cookie to expire with the session data itself. Otherwise, it expires when the browser closes.
You said "when the browser closes". Does the above include also, when the tab closes?
Link to comment
Share on other sites

no it does not include tabs, session works with each process browser starts. closing tab does not close the process , closing the browser does.

Link to comment
Share on other sites

There's a good thread here describing various aspects surrounding logging in users:http://stackoverflow...tication#477579
Ι read this thread, not all of it, just the section about the "remember me" functionality-the article is very good but it only deals with the theory. I need to know(coding, functions...etc) how am I going to set a persistent cookie in the user's browser so-as stated above-he will be automatically login as he visits the site.
Link to comment
Share on other sites

It is done by setting another cookie using setcookie() where yyou can set the lifespan of your cookie. that cookie will hold hashed key of mixed data like username,time of it sets,partial password etc but the hash should have different value from the hashed password. in the database you will have two columns one for that remember me token and one for timestamp of it when it was set. in your login script you will check if user logged in or not. if not then you will look for the existance of the cookie if it does exist query the value in database and pull the timestamp of the token. you will then compare the timestamp with current timestamp, if it is in certain amount of time make your user authenticated. When user log out make sure to delete the tokens in database and also the cookies.The link you just read has information about the risks of using persistent cookie for authentication. It is just like password, still it is risky against cookie theft. Our browser has by default a feature called "remember me" which serve the purpose well with better security. http://php.net/setcookie

Edited by birbal
Link to comment
Share on other sites

I just saw briefly the tutorial in php.net about setcookie-before proceeding and setting a persistent a cookie I want to make a question. According to the tutorial the function should be called before any output,meaning the cookie should be sent before the browser starts the output.So far I used a temporary cookie(session expired upon closing of the browser), I start the session with the function session start(which also sends a cookie to the browser), I place the function AFTER the head section of the site, nonetheless, so far I have not get any error message about the cookie being sent after output begun. Does this restriction about sending the cookie before the output holds only for the setcookie function?

Link to comment
Share on other sites

session cookie is also a cookie. every cookie goes with header so once header sent when output started in browser there is no way to send back the cookie on the same request. this rules applies to every cookie , session cookie even ordinary cookie. The reason you are not getting any error could be you are using output buffering or your php.ini setting is set to implicitly enable output buffering.

Link to comment
Share on other sites

The reason you are not getting any error could be you are using output buffering or your php.ini setting is set to implicitly enable output buffering.
I have not made any adjustments regarding output buffering but just to be certain here are some code example, I want you to tell me if session startis positioned wrongly:
  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">    <head>	   <title>Appointmetns24x7</title>	    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />	  <link rel="stylesheet"  href="css/admingeneral.css"/>	    <script  type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.0/jquery.min.js" ></script>	    <script type="text/javascript" src="js/js-code.js"></script>    </head>    <?php require_once  'output_functions.php';    session_start();    $logout= '<li><a href="logout.php">Αποσύνδεση</a></li>';    ?><body>

According to you, judging from where I have placed session_start, I should get an error. Correct?

Link to comment
Share on other sites

it should be above all, above DOCTYPE declaration. yes you should get an error. (assuming you have enable display_error and error_reporting to E_ALL) if you still can use session and your code works properly it is the "output_buffering" which is doing this. you can check your php.ini for this directive and if it is enabled.it could be enabled previously.

Link to comment
Share on other sites

I found this,related to the output buffering:

output_buffering = 4096

Am I correct to assume that it is ON and that is the reason I do not get the error message? Yes, this was the reason after all I did not get the error-output buffering. Now I get the error.

Edited by jimfog
Link to comment
Share on other sites

output_buffering = 4096
It is the maximum buffer size for outputbufferhttp://php.net/manual/en/outcontrol.configuration.php
Link to comment
Share on other sites

You need to call that function before you call session_start on every page, if you've already started the session on another page without changing the cookie parameters I don't think it will have any effect to try and do it later..
Is in it enough to use setcookie() at the first page the user visits(usually the home page) and then subsequently using just session start to the rest ofthe pages of the site? Using setcookie more than once is like sending multiple cookies to the browser-is it OK to do that?
It is done by setting another cookie using setcookie() where yyou can set the lifespan of your cookie. that cookie will hold hashed key of mixed data like username
Regarding the above statement. How am I going to use setcookie to hold the username, in the php manual it mentions things, like name,value,time span etc...but where exactly does username "goes" Edited by jimfog
Link to comment
Share on other sites

Using setcookie more than once is like sending multiple cookies to the browser-is it OK to do that?
you can set as many cookies as you want. but they have to sent before any outputs have made.setcookie() is not responsible for session cookie. session_set_cookie_params() is the options for handling session cookie. when you use session , session cookie handle automaticly with the help of the parameter you set. so session_set_cookie_params() should have use before you use session and before you use session_start()
Regarding the above statement. How am I going to use setcookie to hold the username, in the php manual it mentions things, like name,value,time span etc...but where exactly does username "goes"
the 'value' will hold the hash of username and otherthings which will identify a user. cookie works with name value pair.
Link to comment
Share on other sites

setcookie() is not responsible for session cookie. session_set_cookie_params() is the options for handling session cookie. when you use session , session cookie handle automaticly with the help of the parameter you set. so session_set_cookie_params() should have use before you use session and before you use session_start()
Then if setcookie() is not used for the session, what is it used for? Is it maybe the setcookie sends ONLY the cookie?Setcookie has the expire property and session_set_cookie_parameters has the lifetime property. Are these properties the same? Difficult to understand it from what the php.net manual says. You say also that "value" will hold the hash of the username-yes, but the "value " property is found ONLY setcookie() and NOT in session_set_cookie-params. Edited by jimfog
Link to comment
Share on other sites

Then if setcookie() is not used for the session, what is it used for? Is it maybe the setcookie sends ONLY the cookie?
yes it is for only cookie (ordinary)
Are these properties the same?
yes
You say also that "value" will hold the hash of the username-yes, but the "value " property is found ONLY setcookie() and NOT in session_set_cookie-params.
cause everytime for session cookie "name" is session name you have set (eg PHPSESID by default) and value is the session id which php generates or recived.(eg some alphanumeric number) php knows what its value and what to set it for that. there is no exception for that. so there is no other option for value in session cookie params. Edited by birbal
Link to comment
Share on other sites

Ok, all in all, to implement the "remember me" option do I need both setcookie and session_parameters functions? And the username hash will go to setcookie.

Link to comment
Share on other sites

No, you don't need both. Those cookies are just regular cookies, not session cookies. I've never seen someone use a session cookie to remember a user long-term. Persistent login cookies usually require more security than a cookie with just a session ID (that would be similar to a cookie with just a user ID, which is easy to impersonate without any extra security).

Link to comment
Share on other sites

Then what I am going to do in order to remember the cookie long -term,if session cookies is not the solution to it?

Link to comment
Share on other sites

Then what I am going to do in order to remember the cookie long -term,if session cookies is not the solution to it?
No, you don't need both. Those cookies are just regular cookies, not session cookies
Link to comment
Share on other sites

use a regular cookie, like birbal and JSG have been trying to explain to you
Οκ, the truth is that I got "lost" in this topic as to what I have to do. Regular cookies is the way to go-after all.
Link to comment
Share on other sites

You actually use both. You use a session like you normally do, a session doesn't replace a persistent login cookie and vice-versa. You still use the session the way you always have, to store information related to the current session. The persistent login cookie is only needed if someone shows up who isn't logged in. You check to see if that cookie exists before sending them to the login page.

Link to comment
Share on other sites

So, as I have understood so far:Session cookie to "transfer" data from page to page and ordinary cookie to deploy the persistent connection mechanism.

Link to comment
Share on other sites

AT LAST-things are clear now. Now to convert it to code...

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...