[Resolved] How do PHP Sessions work?

davidjam

In my script I want to make sure that the client session is actually working (i.e. the site depends on session support). Here's the function:

class page() {
     function session() {
          session_start();
          $_SESSION['test'] = true;
          if(!$_SESSION['test']) {
               $this->cookie_warning = "Cookies must be enabled to use this site.";
          } else {
               unset($_SESSION['test']);
          }
     }
}

.. and here's the parent script:

$page->session();
.. code ..
print $page->cookie_warning;

.. and here's the php.ini settings

session.use_cookies = 1
session.use_only_cookies = 1
session.use_trans_sid = 0
// these settings are intentional so that PHP will only try to set the session via cookies. I want the session to fail so I can see the warning!

Furthermore, I have set firefox to not accept cookies and have emptied the cookie cache.

But still the session is registered. How is this happening???

rehfeld

-you call session start
- php checks to see if the browser has sent a cookie to the server w/ a unique identifier in it(the session id)
- if so, it then checks its session_save directory for a file w/ the name of the session id
- if it finds this file, it parses the file and sets the variables into the $_SESSION array

if the browser did NOT send a cookie w/ a sess_id in it, then php sends a cookie back to the client w/ a session id, which the browser will then send back to the server on subsequent requests.

at the end of the scripts execution, php will look at all the values you have put/removed/changed from $_SESSION, and update this users session file accordingly.

you cant check if the browser accepts cookies or not using your current method. this is because as soon as you set a session variable, its set within php. that variable will ALWAYS exist at LEAST until the next page refresh. the only way the variable will dissapear, is if on the next page request, the browser fails to send a cookie w/ the session id in it, which causes php to be unable to load thier session file w/ the data in it. in this case php would start a new session, and if the browser doesnt accept cookies, it will keep starting a new session on EVERY page request.

to check if the browser accepts cookies or not, you need to refresh/redirect to a page which will check this. there is no way possible to do this without refreshing the page, or loading a second page, because http is a stateless protocol. well, i shouldnt say impossible, but it would be pretty involved to make something reliable.


<?php


session_start();

if (!isset($_SESSION['cookie_flag']) && isset($_GET['cookie_test'])) {
    // this browser does not accept cookies
} elseif (!isset($_SESSION['cookie_flag'])) { // we dont know if they accept cookies or not, so lets test it
    $_SESSION['cookie_flag'] = true; // lets set a session var to see if it persists to the next page request
    header('Location: http://example.org/session_test.php?cookie_test=true'); // redirect to this same script, but set a _GET variable to let us know we tried to set a session var
    exit;
} else {
    // $_SESSION['cookie_flag'] was set so we are sure the browser accepts cookies
}







?>

davidjam

thanks rehfeld, I just breezed through your reply and ... thanks for the information ... but the whole building here is cutting out early for new years, so I'll be back on monday and give your reply a slow read, although I think I see the main problem.

Till then, happy new year to you! 🙂

davidjam

Originally posted by rehfeld
... it then checks its session_save directory for a file w/ the name of the session id
- if it finds this file, it parses the file and sets the variables into the $_SESSION array

--> Is this a server-side directory?
--> How long does the information stay there? One connection only, or until the browser is closed or longer...?

... at the end of the scripts execution, php will look at all the values you have put/removed/changed from $_SESSION, and update this users session file accordingly.

--> Again, how long does the existence of this file last?

code from rehfeld


session_start();

if (!isset($_SESSION['cookie_flag']) && isset($_GET['cookie_test'])) {
    // this browser does not accept cookies
} elseif (!isset($_SESSION['cookie_flag'])) { // we dont know if they accept cookies or not, so lets test it
    $_SESSION['cookie_flag'] = true; // lets set a session var to see if it persists to the next page request
    header('Location: [url]http://example.org/session_test.php?cookie_test=true[/url]'); // redirect to this same script, but set a _GET variable to let us know we tried to set a session var
    exit;
} else {
    // $_SESSION['cookie_flag'] was set so we are sure the browser accepts cookies
}

Thanks rehfeld, I used your code and the test worked well, only a slight delay from the user's point of view, but then again, probably only necessary to use it on certain pages.

rehfeld

yes, the directory is serverside. default is /tmp, but you can change this

the session file must exist for longer than a single page request, otherwise it would be useless.

php uses garbage collection to clean up stale session files

if a session file has not been modified/accessed for the value of session.gc_maxlifetime, then php will consider it garbage

however, just because it is now considered garbage, does not mean that it will be immediately deleted. the probability of it being deleted is controlled by session.gc_probability and session.gc_divisor

take a look at this page, im sure you could figure a lot of it out after reading it.
http://www.php.net/session

davidjam

Thanks alot! You have been really helpful.

Resolved. 🙂 🙂 🙂