PHP Developers Network

Hi, I don't start a PHP session until the user opens the login page or the registration page. In other words I don't start a session on the home page under the assumption that random users may land on the home page out of curiosity or accident and not be interested. I also remove the session file when the home page is opened hoping that they will click the logoff button and go back to the home page. I do this to reduce the number of session files kicking around. I have never read anything about this so it is basically my idea. Am I correct in assuming this is pretty much standard practice.

Thanks,
John

Nope. Standard practice is to have a session everywhere.

Besides, if you don't use sessions on a page, how will it know if the user is logged in?

What I did is when they hit the login page (post home page) I set a session variable called "Login". So most of my pages are restricted to those who are logged in and maybe 10 are not. So I will called them Restricted-Page (RP) and Free-Page (FP). So at the top of all the RPs I will test the "Login" session variable and if they are not logged in I take them to a special error page which gives them the option to go to the login page directly or go to the home page. So on the home page I have buttons that allow user to go to the FPs (a few of these can also be accessed if they have logged in but that is fine). So what I do is if they are logged in I have all close out buttons for all pages in exactly the same top right area to encourage them to log out when they finally get back to the main control page which has the log out button . If they log out it takes them to the home page and the home page removes the session file. This approach was mainly to reduce the number of session files kicking around since I didn't want them created unless a viewer of the home page decided to log in (save disk space and general unwanted clutter). I also create a "login" session entry if they come in through the forgotten password process.

So here is why I got concerned with this approach. It is something that probably will never happen but it in theory could. If they happen to log in twice (enter the home page twice so they can get to the login page) it will kill their process file (tested and it definitely does). On thinking about this I think this is actually a good thing since if they try to log in twice from the same machine it creates a problem for processing (confused session file). So maybe in the end it is better to leave it the way I have it and that special error screen that is called will tell them that they must not enter the home page twice on the same machine because it creates unexpected results (extra debugging work for me which I don't want). This page does not send me an email error message (again less emails which is good).

So far after thousands of runs through this approach it has not given me a problem and I guess maybe by explaining it hear I answered my own question. Specifically just modify the special error page that is produced so that if they try to log in via two home pages entries to tell them not to do that, why not to do that, and what to do if they happen to have done that. What I would do is tell them close out all pages and log off properly then log in again (opening only one home page this time).

Maybe your site is completely different from all other sites, but why are you encouraging them to log out? If anything you should be encouraging them to log in.


You're spending your time worrying about something that doesn't matter. Unless you specifically disabled it PHP installations will delete old session files automatically, and unless you're putting tons of information in the session each file will be very small, and on top of that disk space is cheap.


It doesn't make sense for a user to deliberately do that so don't even allow it in the first place.


They don't need to close all the pages or anything drastic like that. Just pick a tab/window, log out, and log in: whatever other pages they have open can stay open, but next time they try to go anywhere it will be as the new user. Worst case they don't log in again but it's not like that really matters.

You're way over-thinking this. Knowing what's going on with session files and stuff is good and all, and I wish the other 99% of PHP developers cared about knowing what goes on under the hood too, but it's getting the best of you. PHP, web servers, the internet, they're all made to work a certain way so don't fight against it.

I just tried the above and it worked like you said. Thanks for pointing that out.



I actually don't encourage them to log out and the home page does encourage them to log in. Probably the main reason all close out buttons are in the exact same position is to speed them up and it just so happens that the log out button is in that exact same place too. My website is simple in most areas but a bit complex in two specific areas. Where it is simple I replace the existing page with a new page which I know is the standard. Where it is complex I purposely open new windows. In one situation I do it so they can toggle back and forth (normally 2 windows are open in this situation and of course this includes the help pages). In another situation I do it for speed (no need to open the complex pages again since they could be a bit slow to load and other members may get kicked out trying to access the same table). Besides if they really need the very latest info they can refresh it. So when they want to clean it all out (maybe 2 to 4 pages) they just position the cursor and click a few times and take it all out (fast). I did a complete review of the website to ensure I was not doing this any more than needed. I also did a complete review of every single page to ensure all these close out buttons are exactly in the same place. Its just me. I am always trying to figure out how to keep the website looking simple and how to make things faster and faster (clutter slows people down so that is why they are simple).

It is good to know the session files are removed by default. I had read a bit about it but I could not remember the default or if the default was to remove them. I seem to remember they hang around for 6 months or something. I figured I would set it up this way for now (lining up all the page close buttons) and get back to it later. Maybe I read what you said and just figured my lining up buttons would kill two birds with one stone (speed of close out and a bit of reduction in disk space too).

The only other reason I was thinking it might be worth opening a session when the home page is opened is to study hits. But I figure a lot will land on the home page which have no interest at all. Also I don't know if these bots or spiders would crank up the hits giving me numbers that mean nothing. If they register and decide to stop registering now that is of interest and a session makes sense there too. If they click a link on the home page to read some detailed info those numbers may be of interest so a session made sense to me but it means counting and updating a database. It is not a high priority right now but it might be useful.

Couldn't you check if they're logged in on the login page itself and not present the login form if they are?

_________________
Supported PHP versions No longer supported versions

That was what I was thinking of doing. Specifically I was thinking of this;

When the hope page is called, open a session and check the "Login" session variable.
1/ If it is empty then leave them on the home page with the session open.
2/ If it was set to "Logged out" (as I would set if they were on the control page and clicked logged out) then I would remove the session file.
3/ If it was set to "Login" then I would give them an error page telling them not to open the home page a 2nd time.

So maybe my question should have been more direct with this example asking "Is this the normal way to do it?".

I am trying to remember how this works. Lets see if I understand it correctly. When they first open a browser they are assigned an ID number for this browser session. If they go in to 5 websites all the session files on these different websites have the same browser ID basically and it keeps being used until they close down the browser all together (next open of the browser creates a new browser ID). So each time they call a new page it searches the server using this browser ID to find the proper session file (ignoring the old ones and I understand that hundreds or thousands can collect). So opening a second home page will for sure find the same session file that would have been created the first time they called my website. So it should work while at the same time since I have trained them to log out properly by always having the close out buttons positioned exactly the same way it will tend to lead them to delete the session files when they are finished thus speeding up the search through a reduced number of session files the next time they come in (hopefully since they could just X the whole browser down in one click if they want leading to the session file sitting there). So Maybe I keep the free pages (FPs) without session calls where it seems appropriate but call the session on the home page with this logic as one new addition to the bag of tricks? I am not an expert. Does this make sense?

What is the difference between these two states? (ie. why not just destroy the session when they log out?)


Is that helpful to the user? What about offering them alternatives rather than telling them they've done something bad/wrong. "Whoops. Looks like you're already logged in. Click here to go to your profile, click here to go to... whatever." Alternately, you could just redirect them to wherever they'd end up after having logged in. People are going to bookmark login pages.


That certainly isn't how I have ever approached it. I'll start up a session on every request. If I need it, it's available to me. If I don't, no big deal.

_________________
Supported PHP versions No longer supported versions

Thanks Celauran, I like your wording "Whoops. Looks like you're already logged in. Click here to go to your profile, click here to go to... whatever". I just created a to-do to review my error messages and see if I can improve them this way.

I got thinking about how to actually do this. It occurred to me that the log-out button would need to call the home page with a $_GET parameter to remove the current session and when that occurs it would not try to access the current session, otherwise it would do the test to see if they were already logged in.

I had no use for testing for session variables in the home page so I was clearing it every time rather than calling the home page with a parameter as I just mentioned (an error now that I think about it). It all came to light when a user triggered a bug in my program on Saturday. Before I contacted the user to figure out what they were doing I thought that maybe they tried to log in a second time (that could have triggered the bug and that was the only way I could think of that would have triggered it). It turned out this was not the case and they did something that was legit but I had failed to take this into account when I had made a change to the program. I fixed that oversight on Saturday but the scenario I had thought of kept bugging me and if it did not I never would have thought of the other bug mentioned in paragraph #2 above. Also if I had this "already logged in" test in my program already I would have known double login was not a possibility and I may have found the problem on my own without having to ask them what they were doing. The other thing is my program is only tested for doing one thing at a time so allowing them to operate two control pages at the same time could trigger bugs I had not expected (bad for me and for them). So the first change mentioned in paragraph #2 is a must (a fix) and the second change is just a matter of making the system more bullet proof.

Here is something new that just occurred to me as I am writing this. They may in fact want to go back to the home page to do some reading of the information there (perfectly valid and very possible since I give them lots of information but they may register before reading all of it). So the test for double login is probably best moved to the login page itself. Borrowing from your idea the message could be something like this. "Whoops. Looks like you're already logged in. Although operating two control pages at the same time may allow you to work more efficiently the program is not tested for this and you may get unexpected results.". I think it would be best to have this message picked up by the java-script when the login button is clicked (bypassing the call to the login page). So then the odds of them clicking he login button could be quite possible (It could be an autopilot reaction if they happen to log in often). Clicking the registration button should also be checked for. Oh well, lots to do - LOL.

So thanks for challenging the idea guys. You have kept me thinking about it and after 35 years of programming I have always found that pretty handy. I learned a few things that I had not thought of too.