0

I require some confirmation about sessions and session cookie logic.

What happens really, when you close the browser / delete the session cookies manually in the browser (btw, do they have identically the same result by default ? ) ?

In the given case, the deletion of the session cookies happens at the client.
Does the browser send an implicit message to the web server (ie. Apache) to say that the current session_id should be destroyed and can be re-used? Or does the web server have a mechanism to just re-use session_id's that have been inactive for a long time?

Resulting question:
In the second case, how does PHP know when to clear the current $_SESSION globals from the PHP filesystem (tmp) if sessions are destroyed from the client? Does Apache send a command to PHP to delete the corresponding file with session information, the moment -before it re-uses the session_id? Do these session files remain there until a certain expiration time (or do they really get destroyed immediately when the session cookies get destroyed)?

As you may notice, I'm experiencing some confusion here.
Thanks for helping me clarify.

Edit:
I'm talking about these session cookies:

enter image description here

html_programmer
  • 18,126
  • 18
  • 85
  • 158

2 Answers2

0

There are two types of cookies:

  1. Server side cookie
  2. Client (HTTP) side cookie

When you clear cookies from the browser, it clears only client side cookies (cookies on your machine). And yes, there is an expiration time set for all cookies.

Here is some information for you:

Client side cookies

Cookies are key/value pairs used by websites to store state information on the browser. Say you have a website (example.com); when the browser requests a webpage the website can send cookies to store information on the browser.

Browser request example:

GET /index.html HTTP/1.1
Host: www.example.com

Example answer from the server:

HTTP/1.1 200 OK
Content-type: text/html
Set-Cookie: foo=10
Set-Cookie: bar=20; Expires=Fri, 30 Sep 2011 11:48:00 GMT
... rest  of the response

Here two cookies, foo=10 and bar=20, are stored on the browser. The second one will expire on 30 September. In each subsequent request, the browser will send the cookies back to the server.

GET /spec.html HTTP/1.1
Host: www.example.com
Cookie: foo=10; bar=20
Accept: */*

Server side cookies (SESSIONS)

Server side cookies are known as sessions. The website, in this case, stores a single cookie on the browser containing a unique Session Identifier. Status information (foo=10 and bar=20 above) is stored on the server, and the Session Identifier is used to match the request with the data stored on the server.

Check here for more details:

What is the difference between server side cookie and client side cookie?

When session cookies are cleared, they are removed from the client (your machine). Now, the server can't identify you since it doesn't know the session id which was in the cookie you cleared recently, so it looks like your session is cleared.

Part of the credit goes to the guy that answered that question!!

Mario
  • 1,631
  • 2
  • 21
  • 51
Pruthvi Raj Nadimpalli
  • 1,335
  • 1
  • 15
  • 30
  • When session cookies are cleared, they are removed from the client (your machine). Now, the server can't identify you since it doesn't know the session id which was in the cookie you cleared recently, and so it looks like your session is cleared. – Pruthvi Raj Nadimpalli Mar 03 '14 at 10:27
  • As i said when you clear cookies from browser, client side cookies get deleted. But SESSION information on server remains. In general, SESSIONs on server are either saved in files, databases etc. When they get cleared, server side SESSION gets cleared too. – Pruthvi Raj Nadimpalli Mar 03 '14 at 10:33
  • As I understand, session id's are generated by and stored in the web server's (ie. Apache's memory - db), while session variables are by default stored in the PHP tmp folder. What I understand is that when the session cookie (with session id) is deleted in the browser, makes that the client cannot be identified on the server. So the previous session id needs to expire, but the web server doesn't know that yet, and the PHP globals are still stored. This is where I'm confused: how do they get destroyed (web server session_id + PHP session globals). – html_programmer Mar 03 '14 at 10:40
  • For example; I could understand if the web server expires an unused session_id (for 15 mins) and sends a command to the PHP engine to destroy the globals. But I don't know if this is true. – html_programmer Mar 03 '14 at 10:42
  • Point one, PHP is not a web server, it doesn't directly handle sessions. It only facilitates web server in handling sessions. – Pruthvi Raj Nadimpalli Mar 03 '14 at 11:27
  • Point two: session_destroy clears the files. If left unused the session id's are not deleted (unless they reach expiration time). The files do not get cleared. They are cleared by cleaning the session save path directoty – Pruthvi Raj Nadimpalli Mar 03 '14 at 11:28
  • So when clearing the session cookies in the browser, nothing really gets cleared on the server, and has to be done from the server (PHP) afterwards or manually? Sounds acceptable, although a weird construction... – html_programmer Mar 03 '14 at 11:45
  • Exactly, nothing happens on the server. – Pruthvi Raj Nadimpalli Mar 03 '14 at 11:47
  • Does this answer your question? Any doubts? – Pruthvi Raj Nadimpalli Mar 03 '14 at 12:04
  • Final question before acceptance. You clear the session globale On the server periodically then? – html_programmer Mar 03 '14 at 12:27
  • @KimGysen The answer to when and how session data is deleted is complicated than what you think. Session ($_SESSION) has a life time which is 24 minutes by cleared. If session is not active for 24 minutes, it is destroyed.You can change this in settings. But here only $_SESSION is cleared but not session data. Data will still be left on the server until the server performs a session garbage collection cycle. As i said you can either backup (or) delete server data explicitly. With code, if you want to destroy session ($_SESSION), use session_destroy(). I hope this answers your question. – Pruthvi Raj Nadimpalli Mar 03 '14 at 12:53
  • Let me know if you have any questions. – Pruthvi Raj Nadimpalli Mar 03 '14 at 12:55
  • It's ok, I found the same answer here: http://stackoverflow.com/questions/14981524/when-does-a-web-server-clear-the-php-session-identifier – html_programmer Mar 03 '14 at 13:02
0

If you delete session data from your browser, there is no feedback to the server to destroy the given session.

Sessions are destroyed after a certain period of time, the sessions lifetime. AFAIK it is set to 15 mins.

Samuel
  • 6,126
  • 35
  • 70
  • Thanks. Does the web server send a command to PHP to destroy the session files, relating the session_id it wants to destroy, or does PHP send a command to the webserver, saying that it is going to destroy the session variables and requesting to delete (re-use) the session_id. – html_programmer Mar 03 '14 at 10:25
  • You should probably regard PHP as the webserver, as PHP is maintaining sessions, their destruction, their reuse. I am unware of the mechanism in PHP which updates the server sessions and I think it is also not important in your case as in your scenario the webserver handles session by itself. You might find a deeper explanation here: http://www.php.net/manual/en/book.session.php . Probably relevant http://en.wikipedia.org/wiki/Session_hijacking – Samuel Mar 03 '14 at 11:22
  • Woops, I accidentally downvoted on my smartphone - I will rectify this shortly, then delete this comment. (Apparently you need to make an edit to this answer before I can re-upvote). – html_programmer Mar 03 '14 at 12:43
  • Like, you clean the server cookies, then even if client has cookies, they wont be valid, thus have no value. When you clean the client cookies, you will not be able to "cross" server cookies with the same ids.. but if you could somehow get your client cookies again you check that they are still working. So invalid Server cookies will depending on your use of cookies disable the client ones. – Miguel Sep 01 '15 at 17:59