Richard Korts
asked on
php session id
See attached.
I am trying to test timing out a session after some time has passed, force re login & start another session.
To test the idea, I built the php as attached.
In the second program, rpt_new_session(), it echos the old & new sessions with the same ID.
How can I force a DIFFERENT id when restarting?
session_test_db.php
rpt_new_session.php
I am trying to test timing out a session after some time has passed, force re login & start another session.
To test the idea, I built the php as attached.
In the second program, rpt_new_session(), it echos the old & new sessions with the same ID.
How can I force a DIFFERENT id when restarting?
session_test_db.php
rpt_new_session.php
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Before you spend too long on this problem, please make sure you understand how the PHP session handler works. It's always easier to ride the horse in the direction he's going!
https://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_11909-PHP-Sessions-Simpler-Than-You-May-Think.html
https://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_11909-PHP-Sessions-Simpler-Than-You-May-Think.html
And that reminds me... as we discussed in another long question, the PHP session timeout is not an exact timing but a Minimum value. Worse than that... it only gets checked when PHP on the server gets accessed. If you are the only one on your server, it may never timeout. When this came up before, I checked the temp directory where session info is stored on one of my computers and found session files from 5 years ago.
To make the specific point, the PHP session timeout is Not a timer. If you want a specific timeout, you will have to write that yourself.
To make the specific point, the PHP session timeout is Not a timer. If you want a specific timeout, you will have to write that yourself.
+1 for Dave's explanation. HTTP is a stateless client/server protocol. There is no such thing as a logged-in user, only a user who sends a request that tells the server enough information to recover the session data. Most of this information is sent in the HTTP cookies that are returned by the browser to the server. The rest of this information is contained in other request variables and files that are stored on the server. So to really understand this, you need to "get it" about HTTP cookies and headers, and connect the dots one-by-one.
The problem with the "PHP session timeout" is that session timeout is not a thing at all - it never occurs - it does not exist. When a PHP script runs the session_start() function, a cookie is set on the client browser. The cookie points the server to the session files that contain the stored data. If the client browser does not return the cookie, the session is lost. If the server does not find the session files, the session is lost. But none of these "lost data" events can be triggered by a timeout, because there is no timer directly associated with these things. I think the article covers the waterfront, but if you read it and still have questions, please post back and I'll clarify the article and try to explain the details.
The problem with the "PHP session timeout" is that session timeout is not a thing at all - it never occurs - it does not exist. When a PHP script runs the session_start() function, a cookie is set on the client browser. The cookie points the server to the session files that contain the stored data. If the client browser does not return the cookie, the session is lost. If the server does not find the session files, the session is lost. But none of these "lost data" events can be triggered by a timeout, because there is no timer directly associated with these things. I think the article covers the waterfront, but if you read it and still have questions, please post back and I'll clarify the article and try to explain the details.
to set a new session_id of your choice.