i) does this depend on certain PHP settings? i want to make the script work out the box so don’t want any extra problems with php settings
ii) does the session get added to form input when sending forms instead of clicking on a link? If not, is the hidden variable i would need just $PHPSESSID ?
iii) Is there a better way to pass the ID? Should i just use cookies?
ii) does the session get added to form input when sending forms instead of clicking on a link? If not, is the hidden variable i would need just $PHPSESSID ?
It doesn’t get added automatically, should be in a hidden input field:
iii) Is there a better way to pass the ID? Should i just use cookies?
Well, I like sessions exactly because they’re not cookies. In terms of passing the value of the session you can shorten it by using
Actually the reason why you are getting the session id automatically appended to the links is because you have a version of php which was compiled with --enable-trans-sid. And unless this is compiled into everyone’s version of php that uses this script it won’t work. And most people don’t have it compiled in.
Well, I like sessions exactly because they’re not cookies
Actually sessions use cookies to store the session id, and the --enable-trans-sid comes into play to accomadate users who have cookies turned off. So basically you have two options, since there is no guarantee that all users will have this feature compiled into php on their servers, one is make cookies a requirement to use the scripts, or manually tack the session id to every link in the site. But remember just because the session id is tacked on on your system automatially that won’t necessarily be the case for others.
It’s probably best to just manually tack the session id to every link in the site so that we don’t have to worry about enable-trans-sid is set or not, and we don’t have to worry about if cookie is disable in the user’s browser side or not, and we can forget about $PHPSESSID since $PHPSESSID is a cookie.
my other problem is that this program is something people will “add” to their site. People might use the program and then go somewhere else on the site. If i rely on doing sessions in links then they will loose the session will they not? but if it using the temporary cookie (it is a session cookie is it, expires when browser closes?) then will this be ok? they can be at say www.domain.com/mysection.php and click to go to www.domain.com and then back to www.domain.com/mysection.php and still be logged in?
Thing is, if i do use “just” the session cookie type thing, i am not sure the advantage of using sessions at all as i am using them for is transfering the userid/password which could be done in just a cookie.
One thought, it would perhaps be nice, like vbulletin, to allow for both, ie session via links and sessions via cookies. So when someone logs in i have:
USERNAME:
PASSWORD:
Remember me next time Yes | No
I do not use cookies Yes | No
sort of thing. The remember sets a last forever cookie and if you say no, then it does session via links.
Thing is i am not exactly sure how to start coding for this, anyone got any pointers or just a description in words of what to do so i can then work it out in code?
You can actually determine programatically whether the user has cookies enabled or not, and then either tack on the session ID onto the end of your links (the string “PHPSESSID=sessionID” is always available in the PHP ‘SID’ constant, so adding the session ID to a link is as simple as typing <?=SID?>), or allow the session ID to be passed via cookies if they are available.
The PHP manual’s section on Cookies has some good pointers on this stuff.
Yes and no. A session ends when you close ALL browser windows, but I have also seen it mentioned that a session can timeout after a certain time, even if the browser is not closed. I am not sure what the mechanism for that is, but I think it might be the session.gc_maxlifetime variable in your php.ini file. This is how the manual describes that variable:
session.gc_maxlifetime specifies the number of seconds after which data will be seen as ‘garbage’ and cleaned up.
Mine is set to 24 minutes, so I believe a session will end after 24 minutes regardless of whether someone closes their browser or not.
It all depends on what you call a session ‘ending’. Even when a user closes all his/her browser windows, the session remains active on the server. Of course, if the user reopens the browser and returns to the site, he/she will be assigned a new session, since his/her browser deleted the original session cookie when it was closed.
You see, Web servers have no way of knowing when someone has left a site besides the fact that requests accompanied by the session ID stop coming in. So what has to happen is that a session timeout is defined on the server. In your case, you’ve defined it to be 24 minutes. Thus, (roughly) 24 minutes after the server last sees a request with a particular session ID, that session will be deleted from the server.
From the user’s point of view, the session will be terminated when he or she closes the browser, since at that point the browser forgets its session ID and can no longer send requests for that session. Also from the user’s point of view, the session will expire if he or she doesn’t load a page for an extended period (in your case, 24 minutes). From the server’s point of view, however, sessions can only end one way (assuming they are not explicitly ended by a script): after a defined timeout during which no requests come in for a session, it will be destroyed automatically.