Page 1 of 1

Sessions or URL variables?

Posted: Wed May 09, 2012 1:36 pm
by PhilAJ
I would be most nterested to hear the views of some experienced PHP'ers, regarding the alternative use of Sessions or URLS, as I'm fairly new to larger php web projects.

I am developing a website that can be accessed by anyone - for the most part, however to get to a 'My Page' the user must login.

I have a login form in a header file that is included on every page, and when it is completed it verifies the user credentials (in a sQL database) then displays a Welcome message, instead of the login form. Every page visited then has this Welcome instead of the login form.

I can get this to work using SESSIONS, - BUT - if I close the browser then go back in - the Welcome stays - ie the Session is still active. (Can a Session be destroyed completely once a browser moves to another site (without having to put code on every possible close event)).

SO - I thought I'd use the ?uname=xxxx on the end of the URL to pass the uname, (and fact that it was logged in) around - BUT - this means changing EVERY link to every page to include the ?uname=xxxx variable.

What is the 'Best Practice' for this situation - Sessions or URL Variables.

Thanks for any advice

Phil

Re: Sessions or URL variables?

Posted: Wed May 09, 2012 2:33 pm
by pickle
URL variables are a pain in the butt for just the reason you mentioned. In addition, if you only use URL variables, what's to stop me from typing in someone else's username in the URL?

The easiest way to expire sessions is to store a "last_accessed_time" value in $_SESSION. Then, in your header file, check if that "last_accessed_time" is within the last 30 seconds, or 5 minutes, or however long you want the session to last. If "last_accessed_time" is outside that, destroy the session and require the user login again.

Re: Sessions or URL variables?

Posted: Wed May 09, 2012 3:41 pm
by tr0gd0rr
You can also use cookies to remember things from last visit. Here is my rule of thumb:
  • URL parameters: Use to allow a person to bookmark a page (e.g. search results)
  • $_SESSION: Store things pertinent to that user applicable to the duration of the browsing session (e.g. Login authorization, shopping cart contents)
  • Cookies: Store things that would be useful to remember from the user's last visit (e.g. last viewed page, "Remember Me" token)
  • Database: Store permanent things

Re: Sessions or URL variables?

Posted: Wed May 09, 2012 4:20 pm
by Christopher
PhilAJ wrote:I can get this to work using SESSIONS, - BUT - if I close the browser then go back in - the Welcome stays - ie the Session is still active. (Can a Session be destroyed completely once a browser moves to another site (without having to put code on every possible close event)).
That could be a feature or a problem. A simple solution might be to set the expiration of the Session to something shorter. You could do this manually by saving a timestamp in the Session and checking how long since the last request. If it is too long then logout the user, otherwise save the current time as the timestamp.

As far as the other alternative of logging the user out (with Javascipt calling PHP) on the window close event, it seems like if you are including code on every page then you could add that Javascript to the head of every page.

Re: Sessions or URL variables?

Posted: Wed May 09, 2012 5:15 pm
by PhilAJ
Thanks all for the suggestions, looks like its SESSIONs for my usage, with the 'last accessed time' being checked and then a SESSION Destroy and back to home/login page.

Very useful advice from all.

Regards

Phil

Re: Sessions or URL variables?

Posted: Thu May 10, 2012 10:03 am
by x_mutatis_mutandis_x
PhilAJ wrote:I can get this to work using SESSIONS, - BUT - if I close the browser then go back in - the Welcome stays - ie the Session is still active. (Can a Session be destroyed completely once a browser moves to another site (without having to put code on every possible close event)).
Sessions are tracked using cookies (unless cookies are disabled, and you have the configuration allowing session_ids to be passed in URL). You can set the cookie such a way that it expires on closing the browser in which case the user will have to login again, when you close and re-open the browser. However, the session file/data is maintained on the server-side, which you would have to age it off (especially when session_id's are passed with the URL, and one way to do is using what pickle suggested, using last_accessed_time)