Sessions last until a user closes the browser window. If the user navigates to another page and returns to your site again without having closed the browser, then the session will still exist . This behavior is usually desirable for your web application. You can even make the session last beyond closing the browser window, which enables you to remember users and their data over longer periods of time. This is the underlying functionality that enables “Remember me” login functions for example.
Use PHP’s built-in session handler
You may just as well take advantage of the built-in functionality in PHP – as long as you remember that default settings may not always be what you want, and they may not always be secure enough for your project. With PHP you could have started a session like below:
session_start(); $_SESSION['name'] = 'John';
This session will now live for a period defined by the default settings in your server system.
Automatically delete sessions
Depending on your setup, you can automatically remove session data by:
- Setting timeout values to cookies to limit their lifetime, thus stopping a client’s bowser from submitting the session ID after the given time.
- Deleting session files (or database entries) systematically based on their last-used timestamp. This also helps reducing the file overhead on the server system.
Both examples above will make further use of the old session impossible, thus your script should start a new session the user can continue with.
Customizing cookie settings
You can customize the session’s cookie settings to adjust the behavior of the session to suit your specific needs. The following example sets the session’s cookie lifetime to 1 hour (3600 seconds), whereafter the browser will discard the cookie. Thereafter the browser does no longer transmit a session id, until a new one is obtained via a new session cookie from the server. This is a smart way to auto-invalidate sessions based on time.
session_set_cookie_params(3600);
The session_set_cookie_params() method takes a lot of arguments, which can be useful depending on your use-case. One thing I’d like to point out especially, is the use of the “secure” parameter. This indicates if the cookie should be transmitted both via HTTP and HTTPS – or only via HTTPS. Choosing only HTTPS is important for secure login-protected areas of websites – but also makes the session management more difficult, if you maintain HTTP and HTTPS connections for your site. It would be simpler if you forced the use of HTTPS all the time, but that may not always be possible.
Manually deleting a session
Sometimes you want to end a session manually, for example when a user performs a logout. This procedure stops the use of a given session and deletes all the session’s data based on a script. PHP offers a built-in function for doing that:
session_destroy();
Hereafter the old session is not available anymore, and any new visit to your site would essentially be triggering a new session to start (i.e. the user is no longer known/logged in after clicking “Logout”).
General session process
It is generally suggested that you always follow the same procedure for each request:
- Check if a session ID is submitted, and load the session data (otherwise create a new session). This is what session_start() in PHP does for you.
- Consider using a parallel session for HTTP and HTTPS connections, so you have the sensitive data in a session transmitted only via HTTPS. Non-sensitive session data can be stored in the parallel session, which is available on both HTTP and HTTPS.
- Use proper cookie lifetimes and continuously cleanup old sessions if applicable for your system.
Adhering to the few suggestions above will provide you with simple and secure session management.
No comments yet (leave a comment)