sessions and cookies

pradeepjain

I know this is the most spoken topic but i still am confused a bit.
I have a website developed using drupal (CMS tool) .Earlier when a user was logged in and closed the browser and when he again opened the browser , his logion wld be there as it is i.e he was not logged off when browser closed. to correct this
i had to make a settings like
ini_set('session.cookie_lifetime', 0);

which was earlier
ini_set('session.cookie_lifetime', 20000);

what difference did it make . and i remember checkboxes like "REMEMBER ME" and
"keep me signed in for 2 weeks" and "remember me on this computer" .what exactly happens when we click the link and how we are remembered .

TheServant

They use cookies which are pretty much the same as sessions. The major difference is cookies are stored on your computer. So your site will check if they have a cookie stored and then collect variables stored in that cookie to use again. Sessions are stored by the server and cannot (to my knowledge) be kept after closing a browser and re-openning it? So unless it's something that I haven't come across (which is just as likely) your session information was stored as a cookie...

But to answer your question, remember me things use cookies, generally.

Atli

Yes, TheServant is right.

Typically, as you first open a page in your browser, the server will look for certain cookies, sent by your browser, which indicate whether or not you are already logged in. If this information is present, and if it validates, then the server typically loads this into a server-side session, which is kept throughout your stay on the web. If it is not present, you will be asked to log in, after which the cookie is created on your browser and the session created on the server.

Once you close your browser, the server-side session is destroyed, but the cookie will remain on the browser so that the server can identify you next time you visit.

If the server fails to create the cookie, or if you delete it or corrupt it on your browser, the server won't recognize you when you next visit and it will ask you to log in.

pradeepjain

Quote:

Originally Posted by Atli

Yes, TheServant is right.

Typically, as you first open a page in your browser, the server will look for certain cookies, sent by your browser, which indicate whether or not you are already logged in. If this information is present, and if it validates, then the server typically loads this into a server-side session, which is kept throughout your stay on the web. If it is not present, you will be asked to log in, after which the cookie is created on your browser and the session created on the server.

Once you close your browser, the server-side session is destroyed, but the cookie will remain on the browser so that the server can identify you next time you visit.

If the server fails to create the cookie, or if you delete it or corrupt it on your browser, the server won't recognize you when you next visit and it will ask you to log in.

okie you mean to say that
ini_set('session.cookie_lifetime', 0);

will not create any cookie rite.

and when we say remember me...wht exactly is stored in cookie in browser..name=> passwd / session ID

Atli

Quote:

Originally Posted by pradeepjain

okie you mean to say that
ini_set('session.cookie_lifetime', 0);

will not create any cookie rite.

No, that's not right.
To quote the manual:

Quote:

Originally Posted by php.net

session.cookie_lifetime specifies the lifetime of the cookie in seconds which is sent to the browser. The value 0 means "until the browser is closed." Defaults to 0.

Also note that the cookie this quote talks about is in no way related to the "Remeber me" feature we are talking about. This cookie is used by PHP to maintain the server-side session.

A "Remember me" feature needs to be coded by the the developer (you, that is). It is not something PHP does automatically. (Although your CMS might, I don't know.)

The cookies used for that need to be created manually, using the setcookie function, and they also need to be fetched and validated. And if they check out, the user needs to be logged in (the session needs to be created, that is).

Quote:

Originally Posted by pradeepjain

and when we say remember me...wht exactly is stored in cookie in browser..name=> passwd / session ID

Depends on your implementation.
This is typically the ID of the user and some sort of string that can be used to validate that this is in fact the user.
Like say, the user name, his password hash, and a bunch of "random" constants, all put together in a single SHA1 hash.

No matter how you implement this, you just need to make sure the string can be re-created by the server later, so it can be verified.

And keep in mind that cookies are in no way a secure place to store data, so make sure you don't put any data in a cookie you don't want anybody to see.
If you need to store stuff like user information, at least make sure it is hashed and/or encrypted in a way that won't allow somebody to steal the info.

sessions and cookies

re: sessions and cookies

re: sessions and cookies

re: sessions and cookies

re: sessions and cookies

Similar PHP bytes

/bytes/development

/bytes/it

/bytes/about