What happens to a SESSION when it expires in PHP or is refreshed on the page?
What happens when the session time expires ? (This time is usually 24 minutes by default).
Example:
When logging in we set the credentials of a given user in $_SESSION, with the data resulting from a SELECT (a query) made in the database, as below:
$_SESSION["id_usuario"] = $retorno_select["id"];
$_SESSION["nome"] = $retorno_select["nome"];
$_SESSION["email"] = $retorno_select["email"];
$_SESSION['usuario'] = $retorno_select['usuario'];
$_SESSION["departamento-usuario"] = $retorno_select["departamento"];
$_SESSION['permissao'] = $retorno_select['permissao_acesso'];
So on every page I want to check the user access permission, or use some user data (like even a Simple "Bom dia, $_SESSION['nome']"), I give a session_start() to start this session.
My question is this: at the end of these 24 minutes (default SESSION duration time) what happens to this data that has been set ? like the one below for example:
$_SESSION["nome"] = $retorno_select["nome"];
Is this $_SESSION["nome"], and all the others that have been created, destroyed ? Are the values that have been passed to them erased and they remain active?
What happens to the SESSION if it expires and I give it a F5 (refresh) on the page and that Page has a session_start() ?
What happens if the SESSION has a lifetime of 24 minutes and when it has with 15 minutes I give an F5 (refresh) on the page ? Does your counter continue counting from 15 minutes or is that counter zeroed and resumes again ?
What happens when we make an AJAX request on a .php file that has a session_start() in it ? Is SESSION life restarted ?
As we do via PHP code to increase the time of a created session ? For example, we enter a page, the session is "running" (already with a life time of 15 minutes) and the session has that Standard Life of 24 minutes. So we want to increase this life time from 24 minutes to 1 hour. How would we do in the page file ? It could also be to set this "default" time increase at the time we start the session and fill it with the user data.
After the SESSION has expired (ter after the 24 minutes), what happens, for example, if I enter enter a file, give a session_start() and run one of the commands below?
session_start();
if(isset($_SESSION["nome"])){
return true;
}
else{
return false;
}
Or:
session_start();
if(empty($_SESSION["nome"])){
return true;
}
else{
return false;
}
Or:
session_start();
if($_SESSION["nome"]){
return true;
}
else{
return false;
}
2 answers
The session is kept in a file, what you have in the " front-end "(in the client program, as a browser) is a COOKIE with a key for the session, when the SESSION exceeds the GC life timeout ( https://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime ) will consider as the file "potentially/likely" for deletion.
The GC will not eliminate exactly in such time, or disregard, it will also depend from:
- https://www.php.net/manual/en/session.configuration.php#ini.session.gc-probability
- https://www.php.net/manual/en/session.configuration.php#ini.session.gc-divisor
This already comes with default values, but you can also configure from PHP7 with the first parameter of session_start:
session_start ([ array $options = array() ] ) : bool
You could force a session cleanup by forcing GC and then running session_destroy, like this:
<?php
session_start();
...
session_gc();
session_destroy();
But I think this internally is extremely laborious, except that this can cause problems with concurrent connections, even if the Sessions use LOCK, there is a possibility of the call occurringrace condition, so actually using session_destroy() or forcing something that is internally laborious like GC is consuming and disrupting your own scripts more than necessary.
I suggest that one intends to prevent certain data keep going, you could just set a flag in your own $_SESSION stating that it must be "dead", in my situations I usually only create a key inside $_SESSION to inform when it was last updated and if it is out of time then I disregard it, but I won't go into details about it, because it kind of depends on what you want to do.
There are also those who use session_regenerate_id() to change the user's session for a new one, but this does not invalidates the second ,to "invalidate" it would be the case to use so session_regenerate_id(true), but this will also have problem of condition run, of course no one is forbidding to use this, but it must be understood that it is problematic, except that the immediate deletion of session data also disables the detection and Prevention of session hijacking attacks, that is, more problems.
In my view the best is to control session access by time / timestamp, because if someone accesses accidentally (or "hijack" a COOKIE with the key of an old session) old data with timestamp you could determine that it is invalid.
I need to highlight a detail about what LOCK is, when we are recording data in a session the file is locked, if you access multiple pages, for example 10 pages at the same time, with the same session while the first is loading and using the session the remaining 9 pages will be "locked " and" loading", until the first page release the session, then the second page will continue loading, but the remaining 8 pages will continue waiting, as I explained in:
The refresh on page
The refresh on the page I think refers to F5 or Ctrl + F5 (Cmd+F5) in most browsers, this is totally irrelevant to the session, it has no way exactly the back-end understand everything that is done in the program client (browser), the refresh is more an action on the client and not on the back-end, basically it stops / cancels the HTTP request and makes a new similar request, only that, the process is all HTTP, the session will continue there, PHP even sometimes understands a previous cancellation by the user through SAPI (apache, ngnix, etc.) and can cancel your PHP script, but at the end anyway when your " script dies "(finalize) the only thing that will occur is something similar to function session_write_close(), which will record what was in the "memory", because as I explained in the previous link (about LOCK+session), the data is only recorded at the end or with session_write_close().
Even with Ajax or anything else PHP has no way of knowing exactly what happens in your client, the sessions are managed on the back-end, by your scripts and GC, in web pages almost everything is HTTP, more or less this:
- browser requires
- server (apache / ngnix / etc)
- SAPI communicates with PHP
- PHP processes
- PHP returns pro SAPI (Server)
- server sends response download
- browser downloads the response it is receiving
Clearing cookies from your browser will also not influence anything, because as I said already, session cookies are only to store Session Keys, which takes care of eliminating idle Sessions is the GC, and this is something we do not have control and we shouldn't even have.
The suggestion to "invalidate" the session was the one I suggested, a flag or timestamp.
Among the options you questioned (ISSET, EMPY, or IF ()). It is recommended to use if (isset (ISS _SESSION["name"])) , because the variables no longer exist, if you use EMPTY () you will be testing if they are empty, and depending on the version of your PHP if ($_SESSION["name"]) will not work.
If your session has expired the server will show an error message when trying to fetch the session by the id that will be registered in your browser.
The default is that F5 does not destroy the session, if this is happening on the client side, I suggest it is some Browser Configuration. It has already happened to me problem in the session on account of installed plugins.
An Explanatory example of how it works on a website login page.
- the user submits the login form, a server on the other side authenticates the request by validating the credentials.
If the credentials entered by the user are valid, the server creates a new one session. The server generates a unique random number, called the session ID. It also creates a new file on the server, used to store session-specific information.
Then a session ID is passed back to the user along with any requested resource. Behind the scenes, this session ID is sent in the phpsessid cookie in the response header.
When the browser receives the response from the server, it comes across the phpsessid cookie header. If cookies are allowed by the browser, it will save this phpsessid cookie, which stores the session ID passed by the server.
For subsequent requests, the phpsessid cookie is passed back to the server. When the server finds the phpsessid cookie, it will try to initialize a session with that session ID. This is done by loading the session file that was previously created during session startup. Initialize to super global array variable $ _SESSION with the data stored in the session file.