6

I understand that PHP stores a user's session id in a cookie called "PHPSESSID" which is stored in the client's browser and is matched against the session on the server to be able to relate the 2. After closing the browser the session info dissapears but the cookie on the client remains. Is it possible to use this cookie to restore the old session? Or does all the session data get deleted from the server the moment the client closes their browser?

I had this on my page first:

session_start();
$_SESSION['message'] = 'Hello';

echo $_SESSION['message']; // outputs hello

then I changed the page to:

$old_session = session_id();
session_id($old_session);
session_start();

echo $_SESSION['message'];

Then I closed the browser and reopened it to this page and got these errors:

Warning: session_start() [function.session-start]: The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in C:\xampp\htdocs\localhost\test.php on line 5

Notice: Undefined index: message in C:\xampp\htdocs\localhost\test.php on line 7

How exactly does one retrieve old session info after closing the browser, is it even possible?

dgund
  • 3,459
  • 4
  • 39
  • 64
  • 1
    `After closing the browser the session info dissapears but the cookie on the client remains.` --- it is not correct. In most cases session id cookie life is set to "before browser isn't closed". `$old_session = session_id(); session_id($old_session);` --- this code makes no sense – zerkms Jan 12 '12 at 21:58
  • http://php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime – j08691 Jan 12 '12 at 21:59
  • Unless you're peering through the user's window, your server will have no idea when he closes his browser (AJAX won't guarantee it either). The server just deletes session data that is considered "old". – webbiedave Jan 12 '12 at 22:07
  • Have you echoed out `$old_session` to see what it contains? Given you got it directly from session_id(), it's very odd that you can't feed it back in. – Marc B Jan 12 '12 at 22:08
  • The following link gave me the best answer for this question. https://stackoverflow.com/questions/5352583/can-i-restore-a-php-session-by-its-id – Altimus Prime May 23 '17 at 14:46

4 Answers4

7

The accepted answer here should not be accepted. You most certainly can recover a session so long as it has not been cleared yet. It really is this simple.

<?php
   session_id($the_id_of_the_session_you_want_to_reopen);
   session_start();
?>

I found the answer here.

Altimus Prime
  • 2,207
  • 2
  • 27
  • 46
  • Old question but I would add that you CAN recover a session even after it was started as long as you call session_start(); before session_id($id); session_start(); This answer saved my day. – Paulo Lima Jun 23 '18 at 23:04
  • Perfect. I've set a cookie with a long expiration, and now my session restores perfectly each time. Beware for browser settings that clear cookies on shutdown! – Jacob Bruinsma May 13 '21 at 21:20
4

A session does exactly what it says on the tin - exists for the duration of the client's session. A browsing session by definition (such as there is one) ends when you close the browser.

Cookie-based sessions work by setting a cookie that has a lifetime defined in PHP as 0 - this means that the browser should destroy the cookie when the browser is closed. Once the cookie has been destroyed, the session ID is not sent in any subsequent server requests, so the session data will not be available in your PHP script.

However, the session data is not destroyed at the server side at the moment the user closes the browser, as you suggested - this is impossible, because the client does not notify the server that it has been closed. Instead, the session data at the server side has a TTL (time-to-live) which has a default value of 15 minutes. After this has expired, the data may be deleted at any time by the session garbage collector. In theory this could be some considerable time, but in practice on a busy server the data will be deleted within a couple of minutes of the TTL expiring.

However, PHP cannot make the session data available unless it has the session ID, and it will not have the session ID if the cookie has been destroyed, which as I say, should happen when the user closes their browser.

So the short answer to the question How can I restore a PHP session? is: You can't

DaveRandom
  • 87,921
  • 11
  • 154
  • 174
  • 2
    I see, it's good to know that the server data is not deleted when the browser closes. I was able to work around the restoring need by creating another cookie and storing the current session_id() in it. Then when the browser was reopened I did session_id($_COOKIE['old_session']); and was able to get the prior session info back. –  Jan 12 '12 at 22:33
2

This may or may not be an answer you are looking for.

As far as I know, you can't "restore" a session based on the session cookie. What I do is store a cookie with the client's id, username, and password, salted and hashed. I also store another with their id. I check for both cookies when they visit the site, then validate them against each other, then log them in automatically. While this doesn't "restore" their session, it allows them to stay logged in on my site when if they closed the browser. This was how I figured to do it, and I figure if someone did hijack or view another user's cookies, it would be near impossible to decrypt with the salt I used. The only information they would gain is the user's id.

Tim Withers
  • 12,072
  • 5
  • 43
  • 67
  • 1
    Why not? The session ID is the value stored in the cookie. The session cookie's name is `session_name()`, and the value stored in it is `session_id()`. – Marc B Jan 12 '12 at 22:07
  • I just have never done it that way because I figured sessions are deleted off the server too soon (maybe a few hours or so of inactivity, unless I was to change the settings), and using a cookie method would allow the original session to be deleted but remain logged in. – Tim Withers Jan 12 '12 at 22:10
  • 1
    the php session cookie doesn't store anything but the session id. if the session file's gone, then the session is gone and a new file will be created, leaving a blank session. – Marc B Jan 12 '12 at 22:25
  • 1
    If you keep the user id and (salted) password in cookies on the client, then it's not very difficult for someone else to fake that information and log in that way. You do not need the plaintext password for it. It's better to store only user id and session id, and match the user id from the cookie with the one in the session. In case of a mismatch the session should be invalidated, so any hacker gets only one chance per session. – Arjan Jan 12 '12 at 23:48
1

session_start set's a cookie.

the cookie has a param cookie-lifetime

by default the cookie lifetime is set to 0

0 means until browser closed

David Chan
  • 7,347
  • 1
  • 28
  • 49