Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

PHP session or cookie

Tags:

php

cookies

session

setcookie

What's best way to keep user logged on a PHP-powered site until he closes his browser?

The first and the most popular way is to go with $_SESSION. The second is to pass zero as the third argument of setcookie function: setcookie(name, value, 0, domain);

like image 392
treng Avatar asked Jun 22 '12 07:06

treng

2 Answers

As PHP session actually stores the SID by cookie (of course you can use other ways to set the SID if you like), there would not be much difference when simply using them.

The main difference is security, because if you use cookies directly clients can see and/or edit them themselves, but for session the data is stored on the server side so client cannot access directly.

So if the data only lasts for that session, I prefer using session.

Side-note: if you use multiple servers to balance the load you should be extremely careful because session data is stored locally on the server by default. It is possible to share session data across multiple servers but this is beyond the scope of this question. Alternatively, you can store data in a database.

like image 100
Alvin Wong Avatar answered Sep 23 '22 16:09

Alvin Wong

I suggest you go for PHP sessions. Its simple and you do not have to deal with cookies on your own.

The below is the code to truly destroy a session, copy-pasted from the example given in the PHP manual.

// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();

// Unset all of the session variables.
$_SESSION = array();

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}

// Finally, destroy the session.
session_destroy();

About your question:

What's better to use to keep user logged in until he closes his browser?

There is no fail-proof way of determining when the user has closed the browser. One approach is to continuously keep sending small AJAX requests to the server. When no requests are seen for an extended period of time, destroy the session.

Another approach is to listen for DOM Window unload and send a request to the server to destroy the session.

like image 44
UltraInstinct Avatar answered Sep 23 '22 16:09

UltraInstinct
Sign in to Comment

Related questions

Can I safely delete all content in /var/lib/php5?
How can I change opencart order email content as our wish? Is it possible?
PHP require_once error when including file in parent folder
php fatal error: class sqlite3 is not found in
How to save/redirect output from Laravel Artisan command?
WooCommerce - send custom email on custom order status change
What exactly does the PHP function "test_input()" do?
Set global language value in Yii2 application
file_put_content...fail to open stream:Permission denied in Laravel 5
Laravel Custom Trait Not Found
Exception class not found in Laravel
How to keep a php script from timing out because of a long mysql query
PHP remove duplicate values from multidimensional array
How is testing the registry pattern or singleton hard in PHP?
First letter is number in string
How to swap keys with values in array?
Access database config variables from a helper in Codeigniter
How to remove `//<![CDATA[` and end `//]]>`?
Why json_decode doesn't work for me?
Whole number or decimal number

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!