0

I'm creating a Laravel application and I'm trying to grasp the concept of the HTTP session. I noticed that I don't really understand it on a fundamental level (e.g. what exactly happens).

On the internet there isn't much information available besides some basic stuff (getting and retrieving data, plus a few other common things).

I want to better understand it, so it'd be extremely helpful is someone could clarify the following things for me:

  1. What is a session exactly? What is meant with the driver? (Laravel offers: "file", "cookie", "database", "apc", "memcached", "redis", "dynamodb", "array".) What happens to it when I choose file vs cookie?
  2. What does it mean when a session expires? Is that when a user navigates away, or is it only for a specific time in the browser? E.g. if I redirect the user the some OAuth during onboarding, does that mean that the session expires or not?

Many thanks in advance!

ralphjsmit
  • 477
  • 2
  • 16

1 Answers1

2

As you can see, session is dependent on the driver you choose, and at the same time you can select the timeout as well in config\session.php.

In case of Cookie, the session will expire in two cases:

  1. Once the cookie has expired/deleted.
  2. Or (current_time - cookie_creation_time) > session_timeout set in the session.php.

In all drivers, one thing is common: whenever you access the website, and a request is made to the server, it will add the last access time and calculate the session timeout from there.

When the user navigates from the browser and the cookie is still there and it hasn't expired, the user will be identified and session will remain the same.

I hope it's clearer... If not, let me know. I will share some examples.

matiaslauriti
  • 7,065
  • 4
  • 31
  • 43
Vishal
  • 61
  • 7
  • Hey Vishal, thanks for your answer. Could you please share an example of some kind? And explain how, where, what data is stored in a session? Why do we exactly need a session? – ralphjsmit Jul 12 '21 at 19:53
  • Hello Ralph, You can check session/framework/sessions folder, for every new user it will create a hashed file, which will have data something like this `array:4 [▼ "_token" => "BfOxWkvGwXDRcLl8z2hgpjBpIM5htwjAa1BAKdKV" "_previous" => array:1 [▼ "url" => "http://domainurl.com" ] "_flash" => array:2 [▼ "old" => [] "new" => [] ] ]` – Vishal Jul 12 '21 at 20:10
  • and Laravel will create a cookie name `${app_name}_session`, which will have a an expiration time.. which can be set in ENV file with `SESSION_LIFETIME`. once you delete the cookie, your session will expire.. of you if have set `'expire_on_close' => true` in session.php, close the browser will expire the session.. Session is handled and managed by the below class: `Illuminate\Session\SessionServiceProvider::class Illuminate\Session\SessionManager:class, Illuminate\Session\Middleware\StartSession:class` – Vishal Jul 12 '21 at 20:11
  • check and let me know if you need more clarity on this.. I wil be happy to share all I can.. – Vishal Jul 12 '21 at 20:12
  • Session is required to manage state, and identify the used, and will also be used to keep the user login, as long as session is not expired. If you there was no session, you wouldn't be able to access your Facebook Timeline, as Facebook wont be able to identified as a *Authenticated User* – Vishal Jul 12 '21 at 20:17
  • @Vishal add all this info in your answer, edit it adding `---` after your last paragraph and then put all this new info as it is relevant to your answer... – matiaslauriti Jul 13 '21 at 00:01
  • Hey @Vishal, thanks for clarifying. One more question, does the `_previous` key contain the last visited page of a certain website? So if I redirect someone to an external website, does `_previous` still contain the visited URL on the site? – ralphjsmit Jul 13 '21 at 12:52
  • Hey @ralphsmit, no, `_previous` key only contains the pages visited on the laravel website, and cannot track external website links, as browser doesn't notify the laravel, when external links are visited. – Vishal Jul 14 '21 at 09:32
  • Hey Vishal, thanks! Marked as correct Sorry for the late reply, but my SO app didn't give me a notification (which it usually does). – ralphjsmit Jul 16 '21 at 14:41
  • No issue Ralph.. Thanks for your time, and do let me know if you have any further questions. – Vishal Jul 17 '21 at 21:33