16

I'm developing an analytics script that people will be able to add to their page in order to track visitor data. One of the issues I've come across is devising a way to track individual's sessions when they're viewing someone's page from a private browser (I.e. Incognito).

This is the script I'm using to see if someone to observe if someone has been active for more than 30 minutes, if they have, a new session will be created, if not, then they will resume their previous session.

        session_start();
        $max_time = 1800;
        $current  = time();
        if (!isset ($_SESSION['Stationary'])){
            $_SESSION['Stationary'] = time();
            $session = $_SESSION['Stationary'];
        }
        if (!isset ($_SESSION['Inactive'])) { 
            $_SESSION['Inactive'] = time();
        } else {
            $session_life = $current - $_SESSION['Inactive'] ;
            if ($session_life > $max_time ) {
                session_destroy();
                session_start();
                $_SESSION['Inactive'] = time();
                $_SESSION['Stationary'] = time();
                $session = $_SESSION['Stationary'];
            } else {
                $_SESSION['Inactive'] = time();
                $session = $_SESSION['Stationary'];
            }
        }

This script works flawlessly when a user views my page from a regular browser (IE. Chrome Incognito), however when they view it on something like an iPhone, in Private Browsing, every time they access a new page, a new session is rendered -- a problem that I do not have when viewed otherwise.

So my question then is, I'm aware that viewing pages in a Private Browser is achieved through temporary cacheing which is cleared once the browser is closed, however why is it that even when the browser is not closed, opening a link destroys their previous session even when the link leads to another page, with the same script on the page?

Is there a workaround to this?

EDIT: I should note that this script is being placed in a php file with the header application/json to be used as a JavaScript file as well.

Brad
  • 417
  • 3
  • 18
  • 1
    Btw, you can configure the life time of your sessions via `session.gc_maxlifetime`. – Ja͢ck May 27 '15 at 07:41
  • My WebHost doesn't allow managing the php configuration file unfortunately, @Ja͢ck – Brad May 27 '15 at 07:48
  • 1
    You can set it with `ini_set()` (because of PHP_INI_ALL), so there should be no issue there. – Ja͢ck May 27 '15 at 07:52
  • Have you tried this? http://stackoverflow.com/questions/3740845/php-session-without-cookies – John Jun 08 '15 at 19:54

3 Answers3

10

If we firstly look at php session documentation

A visitor accessing your web site is assigned a unique id, the so-called session id. This is either stored in a cookie on the user side or is propagated in the URL.

Secondly, what mozilla support says about private browsing (pretty much the same for other browsers)

What does Private Browsing not save? Cookies!

So the answer is clear now: the browser is not saving any of cookies that are used by php in order to retrieve the respective session.

Is there a workaround to this?

Yes. The $_SERVER variable holds data that can be considered as unique. For example, try using REMOTE_ADDR combined with parsed data from HTTP_USER_AGENT and CRUD it (database, probably).

Some extra info

Community
  • 1
  • 1
sitilge
  • 3,687
  • 4
  • 30
  • 56
  • 1
    I'm able to remain logged in on a website while private browsing, whilst navigating across pages without closing the tab, this doesn't work when implementing a script such as this, could it perhaps be because I'm not using this script as an `include` across all pages?; Also this script works perfectly fine while private browsing on a private browser on google chrome desktop, however the same cannot be said for safari private browsing on the iphone. – Brad Jun 04 '15 at 00:52
  • See related question here: http://superuser.com/questions/601819/why-chrome-incognito-keeps-cookies-after-closing-browser. Seems that old cookies are kept thus allowing you have the same UX. What do you mean by include across all pages? If there is no Front Controller (a central point, proxy like) for requests then - yes, you should do it, otherwise, place it in there. – sitilge Jun 04 '15 at 06:21
  • As said in your second link (the one that links to the "get client IP address"), the $_SERVER has not always the right informations about IP. So, if the visitor is behind a proxy and this proxy does not send HTTP_X_FORWARDED_FOR you will never have any correct information. Private browsing is what it said, it's private, trying to not tell anything about the user. It's maybe not perfect, but you can't rely on proxy to work around. – Armage Jun 09 '15 at 15:12
2

This is possible to achieve if you use ETags. There is an article here which describes how it works:

http://lucb1e.com/rp/cookielesscookies/

ETags are persistent across browser incognito sessions - however you should continually update the session as it can be lost when you close the window and reopen it.

I should add that there are ethnical conundrums with this (but I have no source).

bashaus
  • 1,614
  • 1
  • 17
  • 33
1

Unfortunately, I cannot comment, so I'm just posting this link here:

https://panopticlick.eff.org

On this site you can see all information that is leaked by your browser. They are using Javascript for some data, but that should not be a problem as most of the users have Javascript enabled anyway.

Jonas Felber
  • 409
  • 4
  • 14