Modify Session Cookie on Every Page Load

I've got a PHP system working on a development server (Windows
2000/IIS5/PHP 4.3.3) but it doesn't seem to be working quite right on
the testing server (same except PHP 4.2.3). I upgraded the PHP on the
testing server but that didn't seem to make any difference. One
difference I noticed is that on the dev server, the session cookie is
modified on EVERY page load. On the testing server the cookie gets
created alright but it doesn't seem to be touched after that (and yes,
I checked to be sure the PHP code is the same on the two machines).
Is this controlled by a setting in php.ini? If so, I cannot figure
out which one. Is it controlled by IIS in some way? Again, I cannot
find anything that tells me where. Since the development server is
working, I'd like that behavior (modifying the cookie on every page
load) to be implemented on the test server but cannot figure out how.
Any suggestions would be most appreciated.

--
Henry

Henry Hartley wrote:[color=blue]
> I've got a PHP system working on a development server (Windows
> 2000/IIS5/PHP 4.3.3) but it doesn't seem to be working quite right on
> the testing server (same except PHP 4.2.3). I upgraded the PHP on the
> testing server but that didn't seem to make any difference. One
> difference I noticed is that on the dev server, the session cookie is
> modified on EVERY page load.[/color]

???? And that is good? ?!?!?!?!

one session <===> one cookie
one cookie <===> one session

If you get different cookies that means php is dealing with different
sessions.
[color=blue]
> On the testing server the cookie gets
> created alright but it doesn't seem to be touched after that (and yes,
> I checked to be sure the PHP code is the same on the two machines).[/color]

Isn't this what you want? ?!?!?!?!
[color=blue]
> Is this controlled by a setting in php.ini? If so, I cannot figure
> out which one.[/color]

Check that the directory specified in "session.save_path" really exists.
[color=blue]
> Is it controlled by IIS in some way? Again, I cannot
> find anything that tells me where.[/color]

Check the permission for the directory.
[color=blue]
> Since the development server is
> working,[/color]

is it? ?!?!?!?!
[color=blue]
> I'd like that behavior (modifying the cookie on every page
> load) to be implemented on the test server but cannot figure out how.[/color]

Why?
Why do you want a cookie that changes on *every* page load?
Perhaps you are trying something for which cookies may not be the best
option?

--
USENET would be a better place if everybody read: | to mail me: simply |
http://www.catb.org/~esr/faqs/smart-questions.html | "reply" to this post, |
http://www.netmeister.org/news/learn2quote2.html | *NO* MIME, plain text |
http://www.expita.com/nomime.html | and *NO* attachments. |

Accessing the cookie with every page load is usually to reset the expiry
time. In this way the cookie will expire some time after the last page
access, not sometime after it was first created.

--
Tony Marston

http://www.tonymarston.net



"Pedro Graca" <hexkid@hotpop.com> wrote in message
news:slrnco28mp.knd.hexkid@ID-203069.user.uni-berlin.de...[color=blue]
> Henry Hartley wrote:[color=green]
>> I've got a PHP system working on a development server (Windows
>> 2000/IIS5/PHP 4.3.3) but it doesn't seem to be working quite right on
>> the testing server (same except PHP 4.2.3). I upgraded the PHP on the
>> testing server but that didn't seem to make any difference. One
>> difference I noticed is that on the dev server, the session cookie is
>> modified on EVERY page load.[/color]
>
> ???? And that is good? ?!?!?!?!
>
> one session <===> one cookie
> one cookie <===> one session
>
> If you get different cookies that means php is dealing with different
> sessions.
>[color=green]
>> On the testing server the cookie gets
>> created alright but it doesn't seem to be touched after that (and yes,
>> I checked to be sure the PHP code is the same on the two machines).[/color]
>
> Isn't this what you want? ?!?!?!?!
>[color=green]
>> Is this controlled by a setting in php.ini? If so, I cannot figure
>> out which one.[/color]
>
> Check that the directory specified in "session.save_path" really exists.
>[color=green]
>> Is it controlled by IIS in some way? Again, I cannot
>> find anything that tells me where.[/color]
>
> Check the permission for the directory.
>[color=green]
>> Since the development server is
>> working,[/color]
>
> is it? ?!?!?!?!
>[color=green]
>> I'd like that behavior (modifying the cookie on every page
>> load) to be implemented on the test server but cannot figure out how.[/color]
>
> Why?
> Why do you want a cookie that changes on *every* page load?
> Perhaps you are trying something for which cookies may not be the best
> option?
>
> --
> USENET would be a better place if everybody read: | to mail me:
> simply |
> http://www.catb.org/~esr/faqs/smart-questions.html | "reply" to this
> post, |
> http://www.netmeister.org/news/learn2quote2.html | *NO* MIME, plain
> text |
> http://www.expita.com/nomime.html | and *NO*
> attachments. |[/color]

Tony Marston wrote:[color=blue]
> Accessing the cookie with every page load is usually to reset the expiry
> time. In this way the cookie will expire some time after the last page
> access, not sometime after it was first created.[/color]

Hmmm, of course you're right. I just didn't think of using 'sticky'
cookies for the session id.

I think it's best to let the user decide when the session is over rather
than forcing a cookie timeout of 20 minutes (or an hour, or whatever).
When the user want to terminate the session he can close the browser or
log out (and logging out will delete the cookie).
--
USENET would be a better place if everybody read: | to mail me: simply |
http://www.catb.org/~esr/faqs/smart-questions.html | "reply" to this post, |
http://www.netmeister.org/news/learn2quote2.html | *NO* MIME, plain text |
http://www.expita.com/nomime.html | and *NO* attachments. |

>> Accessing the cookie with every page load is usually to reset the expiry[color=blue][color=green]
>> time. In this way the cookie will expire some time after the last page
>> access, not sometime after it was first created.[/color]
>
>Hmmm, of course you're right. I just didn't think of using 'sticky'
>cookies for the session id.
>
>I think it's best to let the user decide when the session is over rather
>than forcing a cookie timeout of 20 minutes (or an hour, or whatever).
>When the user want to terminate the session he can close the browser or
>log out (and logging out will delete the cookie).[/color]

You DO want to time out sessions eventually, as all those files
cluttering up the server will eventually slow it down, to say nothing
of chewing up a lot of disk space. Do you think a real user is
going to come back expecting to still be logged in if he hasn't
accessed a page in 24 hours? A month? A year? Timeouts don't
have to be annoyingly short. I'm not sure an hour qualifies as
"annoyingly short" if it's counted from the last page refresh,
though, especially if it's a security-sensitive page like a bill-pay
page for a bank.

Also, the *server* doesn't know when the user has closed the browser.
It needs to eventually clean up old sessions.

Gordon L. Burditt

Pedro Graca <hexkid@hotpop.com> wrote in message news:<slrnco2vqf.ma6.hexkid@ID-203069.user.uni-berlin.de>...
<snip>[color=blue]
> I think it's best to let the user decide when the session is over rather
> than forcing a cookie timeout of 20 minutes (or an hour, or whatever).
> When the user want to terminate the session he can close the browser or
> log out (and logging out will delete the cookie).[/color]

The "real" session timeout is handled by garbage collector
(session.gc_maxlifetime and the time you last access the session file)
than with cookies. The cookie life time, just helps you to "continue"
your sessions incase if you closed/restarted your browser.

--
| Just another PHP saint |
Email: rrjanbiah-at-Y!com

Pedro Graca <hexkid@hotpop.com> wrote in message news:<slrnco2vqf.ma6.hexkid@ID-203069.user.uni-berlin.de>...[color=blue]
> Tony Marston wrote:[color=green]
> > Accessing the cookie with every page load is usually to reset the expiry
> > time. In this way the cookie will expire some time after the last page
> > access, not sometime after it was first created.[/color]
>
> Hmmm, of course you're right. I just didn't think of using 'sticky'
> cookies for the session id.[/color]

The odd thing is that one server is resetting the cookie on every page
load (not creating a new cookie, just updating the existing one) and
the other server justs sets the cookie once and seems to forget about
it. Of course, it's still *reading* the cookie or it wouldn't know
what the session ID was but I'm trying to understand why the two
servers are behaving differently. I don't know if this is a PHP
setting (in php.ini) or an IIS setting (and if so, where I can find
and change it) or possibly some other setting that I haven't thought
of.

--
Henry

henryhartley@westat.com (Henry Hartley) wrote in message news:<2d40faa8.0410291245.49029954@posting.google. com>...
<snip>[color=blue]
> I don't know if this is a PHP
> setting (in php.ini)[/color]

Then, why can't do a diff between two ini files?

--
| Just another PHP saint |
Email: rrjanbiah-at-Y!com