change value of session variable

Is it possible to change the value of a session variable  of a specific user logged in?

eg.
10 users are currently logged in and the admin of the system wants to change  the value of $_SESSION['flag'] of  the user A
LVL 1
myyisAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ArgentiCommented:
Answer:
Session variables are different from one user to another, they are only kept for the user as long as the session is alive, but you (as admin) cannot change some specific user's session variable values. The php script can change the value of the current user, according to some conditions (business logic).

http://php.net/manual/en/reserved.variables.session.php
0
Julian HansenCommented:
Can you explain why you would want to do this? There might be another solution.

For instance if you save session information in a database which is accessed through a $_SESSION key then you could do it.

It is considered good practice to save session state in a file or database because sessions time out and by putting it in a database (using a cookie on the client side to find the data again) you can persist the data for longer.

If you did have such a system in place you would be able to modify a session variable in the database - which would not take effect until the next page refresh.

So it depends on what you are trying to achieve.
0
myyisAuthor Commented:
If I use  a DB table:
Whenever the user refreshes the page, a php script can make a DB check and change the value of $_SESSION['flag'] of that specific user.
That's ok.
But why I have to use a cookie ?
Thank you.
0
Fundamentals of JavaScript

Learn the fundamentals of the popular programming language JavaScript so that you can explore the realm of web development.

Ray PaseurCommented:
have to use a cookie ?
These two articles may be helpful to get the background information you need to understand what's going on between the client and server.

http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/A_11271-Understanding-Client-Server-Protocols-and-Web-Applications.html

http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_11909-PHP-Sessions-Simpler-Than-You-May-Think.html

There is no such thing as a "logged in" user.  There are only users who present requests.  The requests are atomic, complete and stateless.  If a cookie is present in the request, the server can use the cookie to look up information that is stored on the server.  This information may include the identity of the client who sent the request, the shopping cart, etc.  By using the cookie to connect the request to information on the server, we can create the appearance that the client is in a state of being logged in or logged out.

You can write your own session handler using PHP and a data base.
0
Julian HansenCommented:
The cookie is to link the user to the Database session state information.

Without it - if your session expires you have no way to find the users session information in the database.

Usually you store the index into the database table in the cookie so that when the user visits the page again you can retrieve it and use it to get data from the database.
0
myyisAuthor Commented:
I still did not get!

When I go through the explanation of julianH  I see that I only need a database check to change the Session variable of a specific user.

Why do I have to update/create a cookie?
Thank you
0
ArgentiCommented:
The way I see the author's question is:

If some site admin can forcefully change a specific value of a session variable, for a specific user that is logged on (without need for the user to log-off+log-in to get the new value).

My answer is No.
0
Ray PaseurCommented:
Why do I have to update/create a cookie?
Please go back and read the articles I linked above.  You need to understand client/server protocols.  The server sets the cookie on the client browser.  The client browser returns the cookie to the server.  That way the server can know which client is making the request.  HTTP is a stateless client/server protocol.  If a client does not return the cookie the server does not make the association between the client request and persistent data on the server.  In other words, the client appears to be a stranger.

Next, you may want to think about what happens if the client tampers with the cookie and returns fraudulent information, but for now, just learn up on HTTP client/server.
0
Julian HansenCommented:
@myyis,

A cookie's lifetime can be set longer than that of a session.

In the context of what you are trying to do - if you want to be able to change state information then as Argenti has already pointed out - if you are only using SESSIONS to store the information - you can't.

However, if you are storing the information you would normally store in the SESSION in a database then you can access that information as an admin by going directly to the record in the database.

If you go this route however, you will need a way to find the users state information in the table. Which means you need a unique ID.

One way is to store this unique ID in the SESSION if you want to and not use cookies - but then you will loose that unique ID if the session expires. For instance - user goes to lunch - comes back an hour later and SESSION has expired. Their state data is sitting in the database but they can't get to it because the unique ID is lost.

Of course you could index the database record on the username and store that in the Session - then if the session times out they logon again and the information is again available. This would not require a use of a cookie.

There are a number of options.

However, at the risk of diverting this question. As has been mentioned in other posts

1. You can't access the session information.
2. If you want to be able to change state information for a particular user then you have to store that information outside of the session and keep some sort of unique identifier that links the database record to the user.
0
Ray PaseurCommented:
Note that the PHP session uses cookies to connect the client to the temporary storage on the server.  You can write your own session handler using a data base instead of the PHP session handler.  Then you can set things up so an admin can change data in the client session.  Whether or not you are well advised to do this is an entirely different question!
0
myyisAuthor Commented:
The PHP server  automatically creates a cookie called PHPSESSID.
Do I need to update/create another cookie to make the above?
0
Ray PaseurCommented:
... another cookie to make the above?
To make what, exactly?
0
myyisAuthor Commented:
Ray,

You have said "If a cookie is present in the request, the server can use the cookie to look up information that is stored on the server"

For the cookie you are referring:  Is the cookie called PHPSESSID (The PHP server  automatically creates) sufficient or do I need another ?


I am trying to make this:
"Whenever the user refreshes the page, a php script can make a DB check and change the value of $_SESSION['flag'] of that specific user."
0
Julian HansenCommented:
You should use your own  cookie.

I am assuming that when you say "Change the value of $_SESSION['flag]" you mean refreshing the variable from the database?
0
Ray PaseurCommented:
The PHP session handler creates the PHPSESSID cookie.  If you want to do something that is different from what the PHP session handler does, it follows that you would want to write your own session handler.  You could use PHPSESSID for the cookie name, but you're free to choose any name you want.
0
myyisAuthor Commented:
What's wrong with the below code? I did not use any cookie.

When the admin wants the change  $_SESSION['flag'] value of the user with id=99, he only does this:
UPDATE TABLE SET FLAG=1 WHERE USERID=99;


Then whenever the user with USERID=99 enters the page the below script runs and the value of $_SESSION['flag']  changes...

$uid = $_SESSION['userIdsession'];
$sql = "SELECT FLAG FROM TABLE WHERE USERID=$uid"
$recVale = mysql_query($sql);
$flag = mysql_result($recVale,0,"FLAG");

if ($flag==1)  $_SESSION['flag']='newvalue';
0
Ray PaseurCommented:
Obviously that is not a complete script, because it is missing session_start().  And it uses the MySQL extension which is being removed from PHP.  When ever you are not sure about a PHP function, you can (and should) look it up on the PHP.net web site.  Example containing a large red warning label:
http://php.net/manual/en/function.mysql-result.php

And if it relies on the PHP session, it almost certainly uses a cookie, even if you think it did not!  Unless you see the session id in the URL, you can be pretty sure that PHP is passing the session ID in a cookie.  The cookie will have an expiration date of zero, meaning that it will be discarded when the last instance (tab or window) of the browser is closed.

Really, it's worth reading the articles I linked for you in the earlier post!
0
myyisAuthor Commented:
So do I have to create a extra cookie since PHP server handles all the cookies?
0
Ray PaseurCommented:
All a cookie does is store some information on the client browser.  The browser returns the information (name, value) with the request.  In PHP this information is available in $_COOKIE.  What do you want the cookie(s) to do?  You can create as many as you want.
0
Julian HansenCommented:
With respect to the solution you have adopted you don't actually need a cookie.

The UID is your unique key in this case which means it should be set when the user logs on - therefore you can use that to get the information from the database.

So pretty much all you are missing from your script is a session_start (and assumes you are setting userIdSession when the user logs on.
0
Ray PaseurCommented:
you don't actually need a cookie.
Not to split hairs, but the PHP session handler will set a cookie.  If the client has cookies turned off, the PHP session handler will fail in this case.
0
Julian HansenCommented:
True - but then the login process won't work either.

My point being - if the session will always have the uid value set and it is unique this is sufficient to act as an index to a database.

Where a cookie would be needed is for auto-login / remember-me functionality. But that falls outside of this question so did not want to introduce it.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.