more session help

fxpepper

Hello

I am trying to test setting this cookie so it lasts for 30 days. Initially i tested shorter time spans and it seemed to work but at the end of the day on Friday i set it to what i thought was 30 days and when i opened my browser today, nothing was saved...? Is there way to 'see' if this set correctly:

$lifetime = 60 * 60 * 24 * 30;
  session_start();
  setcookie(session_name(),session_id(),time()+$lifetime);

$rqstsignature = md5($_SERVER['REQUEST_URI'].$_SERVER['QUERY_STRING'].print_r($_POST, true));

//$_SESSION['mysearches'] = null;
if(!isset($_SESSION['mysearches'])) {
    $_SESSION['mysearches'] = array($_GET['s']);
} else {
	if ($_GET['s'] != '') {
		$_SESSION['mysearches'] = array_filter($_SESSION['mysearches'], 'strlen');
		if ($_SESSION['LastRequest'] != $rqstsignature) { // no refresh


		array_unshift($_SESSION['mysearches'], $_GET['s']);
		$_SESSION['LastRequest'] = $rqstsignature;

		while(count($_SESSION['mysearches']) > 5) {
			array_pop($_SESSION['mysearches']);
		}	
	} 
}	
}

thanks

bradgrafelman

Don't try to use setcookie() to override the header that PHP sets when you start the session. Instead, use [man]session_set_cookie_params/man to modify the default cookie parameters before you start the session.

Also note that cookie expiration is dependent upon the server's time / system clock being set correctly. So, if the above doesn't fix the issue, the next step I would suggest is verifying that the server's date/time are correct.

fxpepper

okay, so I changed the first few lines to the following:

session_set_cookie_params(2592000);
 session_start();

as far as the server clock - I am looking at phpinfo(). Would the server time/system clock be listed here? I see a few dates (system, build date..) but not sure which i should be checking. Also, is there a way to test 30 days or do I just need to check shorter time periods and assume 30 days would work if these work (altho this wasn't the case before so that makes me a little nervous to count on that )

bradgrafelman

fxpepper;10999985 wrote:
as far as the server clock - I am looking at phpinfo(). Would the server time/system clock be listed here?

Well, technically I suppose you could make some assumptions on whether the clock is set right by looking at $_SERVER["REQUEST_TIME"] (probably after converting it to a more human-friendly format 🙂), but probably the easiest way to check would be to simply output the current time in PHP, e.g.:

echo "The date/time is: " . date('r') . "\n";

and then verify that the date/time/timezone reflect the current time (more or less).

fxpepper;10999985 wrote:
Also, is there a way to test 30 days or do I just need to check shorter time periods and assume 30 days would work if these work (altho this wasn't the case before so that makes me a little nervous to count on that )

As far as testing goes, it's hard to simulate all of the effects of time passing by. Instead, you might examine the client-side and server-side session-related behavior separately:

Examine the Set-Cookie HTTP header that PHP outputs when you call session_start(). Verify that the 'Expires' attribute correctly reflects a date/time 30 days into the future.
Examine the session.gc_maxlifetime PHP directive. Verify that it reflects a value greater than or equal to 30 days.

fxpepper

bradgrafelman;10999988 wrote:
echo "The date/time is: " . date('r') . "\n";
and then verify that the date/time/timezone reflect the current time (more or less).

obviously, I have a lot to learn : ) but thanks for this tip. I can see the time is 5 hours ahead. so that's fine i think...
And we can assume that this should work since it's pretty much accurate?

As far checking the Set-Cookie HTTP..? how, where?? I tried using the add on for HTTP headers but I don't see anything referencing this so I am guessing this is not the right tool for this. I trying to google this too...

bradgrafelman;10999988 wrote:
Examine the Set-Cookie HTTP header that PHP outputs when you call session_start(). Verify that the 'Expires' attribute correctly reflects a date/time 30 days into the future.

Examine the session.gc_maxlifetime PHP directive. Verify that it reflects a value greater than or equal to 30 days.

EDIT:

actually i did see this in the HTTP Header tool:
Set-Cookie: VM_USR=ABnzjWLceUhLsklMtDMrldQAADwYAAA8fRQAAAE2UCL62QA-; Domain=.intellitxt.com; Expires=Fri, 25-May-2012 17:52:16 GMT; Path=/

could this be the cookie that i set? also, looks like it's gonna expire in 2 months, not 30 days...?

thanks for all the help : )

bradgrafelman

fxpepper;10999992 wrote:
I can see the time is 5 hours ahead.

Er, ahead of who or what? If the time difference doesn't correspond with the same offset in timezones (between the timezone that PHP outputs and the timezone corresponding with the time you're using for comparison), then I would suggest you look into why the server's clock isn't set correctly. +/- 5 hours doesn't seem to be very accurate to me (nor would it to my boss if I came in to work 5 hours late :p).

motleydata;10999991 wrote:
As far checking the Set-Cookie HTTP..? how, where??

It'll be in the HTTP headers sent by the server in response to your client's HTTP request. The "client" is most likely your web browser, if that's what you're using for testing.

Depending upon which browser you're using, this may even be built-in with no addons/plugins needed. Google Chrome, for example, has a ton of profiling/in-depth examining tools/menus. If you're looking for help with a specific browser, though, you might want to let us know which one. Likewise for any add-ons you're using in conjunction with that browser (I doubt there is only one add-on in existence that lets you view HTTP headers, so saying "the add on" doesn't help us much 😉).

fxpepper

bradgrafelman;10999996 wrote:
Er, ahead of who or what? If the time difference doesn't correspond with the same offset in timezones (between the timezone that PHP outputs and the timezone corresponding with the time you're using for comparison), then I would suggest you look into why the server's clock isn't set correctly. +/- 5 hours doesn't seem to be very accurate to me (nor would it to my boss if I came in to work 5 hours late :p).

well it says it's the same date but it's 4 hours ahead of me. ( I am ET) . So are you saying it won't work it's not exactly the same? I guess i thought it would work if it was approximately the same time. It would compare the times but expire the cookie from the system time which i didn't think was a big deal if was 4 hours ahead...

Also, i forgot to mention , this is shared server and i don't think i can update that at this time...

bradgrafelman;10999996 wrote:
Depending upon which browser you're using, this may even be built-in with no addons/plugins needed. Google Chrome, for example, has a ton of profiling/in-depth examining tools/menus. If you're looking for help with a specific browser, though, you might want to let us know which one. Likewise for any add-ons you're using in conjunction with that browser (I doubt there is only one add-on in existence that lets you view HTTP headers, so saying "the add on" doesn't help us much 😉).

I am using the firefox add-on -called Live HTTP headers. Actually i did see this in this tool when I checked again:

actually i did see this in the HTTP Header tool:
Set-Cookie: VM_USR=ABnzjWLceUhLsklMtDMrldQAADwYAAA8fRQAAAE2UCL62QA-; Domain=.intellitxt.com; Expires=Fri, 25-May-2012 17:52:16 GMT; Path=/

could this be my cookie that i set? altho it looks like it's gonna expire in 2 months, not 30 days...?

bradgrafelman

fxpepper;10999998 wrote:
well it says it's the same date but it's 4 hours ahead of me. ( I am ET) .

Since you're currently in EDT due to daylight savings, and since EDT has a GMT offset of -0400, I'm betting the PHP output is showing the correct time (which would be 4 hours ahead of you with a timezone offset of +0000).

fxpepper;10999998 wrote:
So are you saying it won't work it's not exactly the same?

Of course not, but having an accurate system clock could be essential for other purposes, and it seemed silly to accept a possible 5 hour offset.

fxpepper;10999998 wrote:
Also, i forgot to mention , this is shared server and i don't think i can update that at this time...

Quite true, but the fact that it's a shared server (hopefully) means someone else is paying attention to such server management tasks and has already taken care of this for you.

fxpepper;10999998 wrote:
actually i did see this in the HTTP Header tool:
Set-Cookie: VM_USR=ABnzjWLceUhLsklMtDMrldQAADwYAAA8fRQAAAE2UCL62QA-; Domain=.intellitxt.com; Expires=Fri, 25-May-2012 17:52:16 GMT; Path=/

could this be my cookie that i set?

Is your cookie named "VM_USR", and is your domain "intellitxt.com" ? If so, then yes. If not, then no.

EDIT: Also note that PHP won't send another Set-Cookie as long as you're sending a session cookie with the request. So, if you've got an existing session cookie set from previous tests, you'll want to remove that cookie.

fxpepper

bradgrafelman;11000001 wrote:
Since you're currently in EDT due to daylight savings, and since EDT has a GMT offset of -0400, I'm betting the PHP output is showing the correct time (which would be 4 hours ahead of you with a timezone offset of +0000).

Of course not, but having an accurate system clock could be essential for other purposes, and it seemed silly to accept a possible 5 hour offset.

okay, great...

bradgrafelman;11000001 wrote:
Is your cookie named "VM_USR", and is your domain "intellitxt.com" ? If so, then yes. If not, then no.

EDIT: Also note that PHP won't send another Set-Cookie as long as you're sending a session cookie with the request. So, if you've got an existing session cookie set from previous tests, you'll want to remove that cookie.

regarding the cookie name, I didn't name anything except for the Sessions array. And I looked under cookies (under options and then the site and I didn't see anything that indicated it was my cookie. Is there a default name it uses? )

again this is what i have now:

session_set_cookie_params(2592000);
 session_start();

$rqstsignature = md5($_SERVER['REQUEST_URI'].$_SERVER['QUERY_STRING'].print_r($_POST, true));

//$_SESSION['mysearches'] = null;
if(!isset($_SESSION['mysearches'])) {
    $_SESSION['mysearches'] = array($_GET['s']);
} else {
	if ($_GET['s'] != '') {
		$_SESSION['mysearches'] = array_filter($_SESSION['mysearches'], 'strlen');
		if ($_SESSION['LastRequest'] != $rqstsignature) { // no refresh


		array_unshift($_SESSION['mysearches'], $_GET['s']);
		$_SESSION['LastRequest'] = $rqstsignature;

		while(count($_SESSION['mysearches']) > 5) {
			array_pop($_SESSION['mysearches']);
		}	
	} 
}	
}

thanks again

bradgrafelman

PHP uses the name of the session as the name of the cookie.

If you aren't seeing any Set-Cookie headers on a page with session_start(), then I'm betting you've already got a session cookie present in your browser (hence why I added the 'EDIT:' section you quoted above).

fxpepper

bradgrafelman;11000006 wrote:
PHP uses the name of the session as the name of the cookie.

If you aren't seeing any Set-Cookie headers on a page with session_start(), then I'm betting you've already got a session cookie present in your browser (hence why I added the 'EDIT:' section you quoted above).

well, I did echo session_name();

and it showed this:
PHPSESSID

i did a search and didn't show anything under 'mysearch' ??

after deleting the PHPSESSID cookie, I did come across this in the live http headers tool, after refreshing the page:
Set-Cookie: PHPSESSID=2141200aba729657d04e0e0de94d5828; expires=Wed, 25-Apr-2012 19:02:19 GMT; path=/

I noticed other Set-Cookies also used PHPSESSID too but this once corresponds at least with my page...

EDIT:
Does this good? It does to me...
Also, should I explicitly give it its own name??

bradgrafelman

fxpepper;11000010 wrote:
i did a search and didn't show anything under 'mysearch' ??

Why would it? You don't start any sessions named 'mysearch' in the code you've shown us.

fxpepper;11000010 wrote:
I noticed other Set-Cookies also used PHPSESSID too

Oh dear, excellent point - thanks for reminding me. I forgot to mention...

Because you're using non-default parameters for the session in this web application (e.g. you're calling functions that set-up the session before you do session_start()) without using a non-default session name, you may experience interference with other applications that do use the default session parameters (e.g. they simply call session_start()).

To prevent this, you need to do one of the following:

Adopt your changes "site-wide" by altering the default value of the PHP directives prefixed with "session." that correspond to the new parameter values you're using. In other words, since you're only changing the cookie lifetime (I'm assuming you've already handled the session.gc_maxlifetime directive as noted earlier?), you'd want to modify the session.cookie_lifetime PHP directive.
Use a unique (non-default) name for the session used by your current application.

Also note that if you stick with setting the options manually (e.g. via calling session_set_cookie_params() before calling session_start()), then you'll want to make sure you do this on each PHP script that contains session_start().

fxpepper

bradgrafelman;11000014 wrote:
Oh dear, excellent point - thanks for reminding me. I forgot to mention...

Because you're using non-default parameters for the session in this web application (e.g. you're calling functions that set-up the session before you do session_start()) without using a non-default session name, you may experience interference with other applications that do use the default session parameters (e.g. they simply call session_start()).

To prevent this, you need to do one of the following:

Adopt your changes "site-wide" by altering the default value of the PHP directives prefixed with "session." that correspond to the new parameter values you're using. In other words, since you're only changing the cookie lifetime (I'm assuming you've already handled the session.gc_maxlifetime directive as noted earlier?), you'd want to modify the session.cookie_lifetime PHP directive.

Use a unique (non-default) name for the session used by your current application.

Also note that if you stick with setting the options manually (e.g. via calling session_set_cookie_params() before calling session_start()), then you'll want to make sure you do this on each PHP script that contains session_start().

okay, so going with the number 2 option:

I have this now:

session_set_cookie_params(2592000);
  session_name('test_mysearches');
  session_start();
 // setcookie(session_name(),session_id(),time()+$lifetime);

$rqstsignature = md5($_SERVER['REQUEST_URI'].$_SERVER['QUERY_STRING'].print_r($_POST, true));


if(!isset($_SESSION['mysearches'])) {
    $_SESSION['mysearches'] = array($_GET['s']);
} else {
	if ($_GET['s'] != '') {
		$_SESSION['mysearches'] = array_filter($_SESSION['mysearches'], 'strlen');
		if ($_SESSION['LastRequest'] != $rqstsignature) { // not a refresh			

		array_unshift($_SESSION['mysearches'], $_GET['s']);
		$_SESSION['LastRequest'] = $rqstsignature;

		while(count($_SESSION['mysearches']) > 5) {
			array_pop($_SESSION['mysearches']);
		}	
	} 
}	
}

I show this in the live http header tool now:
Set-Cookie: test_mysearches=3f09e483004e91df3181f6d39b890c86; expires=Wed, 25-Apr-2012 19:32:20 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=30, max=50

on the set cookie line it does show Apr 25, so that is good...

Is the Keep-Alive something I need to worry about?

I have no idea if there any other places where session_start() is called. I don't know if wordpress sets up anything but i haven't done this anywhere else. But I will see if I can search thru to make sure..

IF I do opt for option 1, this would only affect this specific site. so something like this would be right:

ini_set('session.gc_maxlifetime', 86400 * 30); 
session_set_cookie_params(2592000);
session_start();

$rqstsignature = md5($_SERVER['REQUEST_URI'].$_SERVER['QUERY_STRING'].print_r($_POST, true));


if(!isset($_SESSION['mysearches'])) {
    $_SESSION['mysearches'] = array($_GET['s']);
} else {
	if ($_GET['s'] != '') {
		$_SESSION['mysearches'] = array_filter($_SESSION['mysearches'], 'strlen');
		if ($_SESSION['LastRequest'] != $rqstsignature) { // not a refresh			

		array_unshift($_SESSION['mysearches'], $_GET['s']);
		$_SESSION['LastRequest'] = $rqstsignature;

		while(count($_SESSION['mysearches']) > 5) {
			array_pop($_SESSION['mysearches']);
		}	
	} 
}	
}

thanks again

bradgrafelman

fxpepper;11000021 wrote:
Is the Keep-Alive something I need to worry about?

Nope. That's specific to the HTTP connection between the client's computer and (presumably Apache) running on the remote server. It just indicates how long a connection can be left open but idle (e.g. the client hasn't sent any new HTTP requests).

fxpepper;11000021 wrote:
I have no idea if there any other places where session_start() is called. I don't know if wordpress sets up anything but i haven't done this anywhere else.

I have no idea what WordPress does, but the point of using your own session name is to isolate your specific application/module/whatever from any other PHP application/module/whatever (as long as you don't happen to pick a name that somebody else picked, of course).

In other words, as long as WP doesn't use the same session name, it doesn't really matter what it does with sessions.

fxpepper;11000021 wrote:
*IF I do opt for option 1, this would only affect this specific site. so something like this would be right:

Not really; the point of option #1 in my previous reply was to make the change at a higher level than inside individual PHP scripts. If this small code snippet is really the only place you ever use this session data, then option #1 might be overkill (unless you really want all other sessions to behave the same way).

fxpepper

bradgrafelman;11000022 wrote:
Also note that if you stick with setting the options manually (e.g. via calling session_set_cookie_params() before calling session_start()), then you'll want to make sure you do this on each PHP script that contains session_start().

your above note ( a few replies up) is why I was discussing whether there are other session_starts() (for example that WP might set up) throughout the site. This script is the only one I called and it does have a unique name. I thought you were saying i need to see if the session_start() was used in other places and set the session_set_cookie_params() with these scripts too..
is that what you were saying or is setting it just on this script okay? It's only used in one place...

bradgrafelman;11000022 wrote:
Not really; the point of option #1 in my previous reply was to make the change at a higher level than inside individual PHP scripts. If this small code snippet is really the only place you ever use this session data, then option #1 might be overkill (unless you really want all other sessions to behave the same way).

This script is used on the site's sidebar. I would consider it pretty small and this is the only place it is used so I will go with option 2 if option 1 is overkill then.

Another question - if the client has their browser open and they don't use it for say 25 mins, will the cookie still save? I saw the session.gc_maxlifetime addresses this and I didn't know if the session_set_cookie_params() overrides this too. Currently phpinfo() shows the server has this valued at 1440

thanks again for your patience/ time. truly appreciated : )

fxpepper

When I opened my browser this morning, the information was not saved. I am really baffled by all this...

as of last night i had this:

session_set_cookie_params(2592000); 
session_name('test_mysearches');
session_start();

I am updating to this to see if it makes any difference:

ini_set('session.gc_maxlifetime', 86400 * 30); 
session_set_cookie_params(2592000); 
session_name('test_mysearches');
session_start();

bradgrafelman

You can't set the session.gc_maxlifeetime directive inside of a script... by the time your ini_set() gets executed, GC will have already been executed.

You need to change that directive outside of your scripts - in php.ini, a .htaccess file, etc.

fxpepper

bradgrafelman;11000089 wrote:
You can't set the session.gc_maxlifeetime directive inside of a script... by the time your ini_set() gets executed, GC will have already been executed.

You need to change that directive outside of your scripts - in php.ini, a .htaccess file, etc.

okay.. thank u

fxpepper

I am still banging my head over this.

When i went to check on the site where this is set up, the search list was gone and it's only been a few days -def not 30 days.

I added this:
php_value session.gc_maxlifetime 2592000

to the .htaccess and it now shows 2592000 on the local side when i view phpinfo(). Does this have to do with the GC? Is this something i am always gonna have to worry about when i use sessions?

I am wondering - should I switch back to strickly cookies with php ( or even js)..?