PHP Session Not Restoring from Cookies

Question

When a user returns to my website, it attempts to restore their last session from the $_COOKIE associative array. It's not working as expected. I can look in my browser's cookie manager and see that the cookies are there, but they don't seem to be getting saved to the $_SESSION associative array.

This is essentially the program flow when a user returns to my site:

foreach ( $_COOKIE as $name => $val )
{
  $_SESSION[$name] = $val;
}

session_start();

...

$some_var = $_SESSION[$var_name];

Do I have things out of order, or should I not be overwriting PHPSESSID? Any insight as to what I'm doing wrong would be appreciated. Thanks.

You have this completely wrong. The *only* thing you need to do is call `session_start()` - forget about the `$_COOKIE`s, PHP does all of this for you. — DaveRandom, Jan 31 '12 at 22:26
So, I manually save cookies (`setcookie`), and `session_start` will automatically save them back into the `$_SESSION` associative array? — Jim Fell, Jan 31 '12 at 22:28
You shouldn't need to `setcookie()` - calling `session_start()` automatically sets the cookie for you. — DaveRandom, Feb 01 '12 at 08:45

score 2 · Accepted Answer · edited Feb 06 '19 at 10:06

2

You're getting sessions and cookies mixed up. You don't need to put things into the $_COOKIE array. Just use session_start() and then put things into $_SESSION. PHP will automatically then manage the session/cookie for you.

$_COOKIE variables are stored on the users browser, so they aren't secure and can be manipulated by the user => security risk.

$_SESSION variables are stored only on the server. The only thing stored in the cookie is a session_id, so $_SESSION variable can't be manipulated.

Does that make sense?

edited Feb 06 '19 at 10:06

J.Do

303
6
26

answered Jan 31 '12 at 22:27

Mark

1,754
3
26
43

I understand the difference between $_COOKIE and $_SESSION. How does PHP know to restore the session data when a user returns to the site? Let's say he logs on to my website at some point, shuts down his computer, and returns to the site the next day. How does it know to restore his login information, so that he doesn't have to log in again? – Jim Fell Jan 31 '12 at 22:38
I think if you specify the lifetime using `session_set_cookie_params()` then you can specify how long the session will last for. By default it's until the browser is closed. Also if you're storing sessions for a while then check the PHP sessions garbage collecting settings. Even if the cookie is valid, PHP might have cleared the session file off the server. – Mark Jan 31 '12 at 22:42
I decided to defer this feature to a later version of the application. I'm accepting your answer for now because it makes the most sense and has the most up-votes. Thanks. – Jim Fell Feb 02 '12 at 17:50

score 1 · Answer 2 · answered Jan 31 '12 at 22:28

1

Put session_start() before anything else; this function initializes the session data that you will be accessing in $_SESSION.

Not exactly sure what you're trying to achieve with the rest of it all, but session_start() first is a starting point...

answered Jan 31 '12 at 22:28

jcmeloni

1,259
1
15
21

How does PHP know to restore the session data when a user returns to the site? Let's say he logs on to my website at some point, shuts down his computer, and returns to the site the next day. How does it know to restore his login information, so that he doesn't have to log in again? – Jim Fell Jan 31 '12 at 22:39
@JimFell It doesn't; sessions are for browser sessions, and cookies for whatever time period you set them for. You can use them in coordination with each other, of course. – jcmeloni Jan 31 '12 at 22:43

PHP Session Not Restoring from Cookies

2 Answers2

Linked