What's best way to keep user logged on a PHP-powered site until he closes his browser?
The first and the most popular way is to go with $_SESSION
. The second is to pass zero as the third argument of setcookie
function: setcookie(name, value, 0, domain);
As PHP session actually stores the SID by cookie (of course you can use other ways to set the SID if you like), there would not be much difference when simply using them.
The main difference is security, because if you use cookies directly clients can see and/or edit them themselves, but for session the data is stored on the server side so client cannot access directly.
So if the data only lasts for that session, I prefer using session.
Side-note: if you use multiple servers to balance the load you should be extremely careful because session data is stored locally on the server by default. It is possible to share session data across multiple servers but this is beyond the scope of this question. Alternatively, you can store data in a database.
I suggest you go for PHP sessions. Its simple and you do not have to deal with cookies on your own.
The below is the code to truly destroy a session, copy-pasted from the example given in the PHP manual.
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
About your question:
What's better to use to keep user logged in until he closes his browser?
There is no fail-proof way of determining when the user has closed the browser. One approach is to continuously keep sending small AJAX requests to the server. When no requests are seen for an extended period of time, destroy the session.
Another approach is to listen for DOM Window unload and send a request to the server to destroy the session.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With