How to restore a PHP session?

php session browser

15,399

Solution 1

A session does exactly what it says on the tin - exists for the duration of the client's session. A browsing session by definition (such as there is one) ends when you close the browser.

Cookie-based sessions work by setting a cookie that has a lifetime defined in PHP as 0 - this means that the browser should destroy the cookie when the browser is closed. Once the cookie has been destroyed, the session ID is not sent in any subsequent server requests, so the session data will not be available in your PHP script.

However, the session data is not destroyed at the server side at the moment the user closes the browser, as you suggested - this is impossible, because the client does not notify the server that it has been closed. Instead, the session data at the server side has a TTL (time-to-live) which has a default value of 15 minutes. After this has expired, the data may be deleted at any time by the session garbage collector. In theory this could be some considerable time, but in practice on a busy server the data will be deleted within a couple of minutes of the TTL expiring.

However, PHP cannot make the session data available unless it has the session ID, and it will not have the session ID if the cookie has been destroyed, which as I say, should happen when the user closes their browser.

So the short answer to the question How can I restore a PHP session? is: You can't

Solution 2

The accepted answer here should not be accepted. You most certainly can recover a session so long as it has not been cleared yet. It really is this simple.

<?php
   session_id($the_id_of_the_session_you_want_to_reopen);
   session_start();
?>

I found the answer here.

Solution 3

This may or may not be an answer you are looking for.

As far as I know, you can't "restore" a session based on the session cookie. What I do is store a cookie with the client's id, username, and password, salted and hashed. I also store another with their id. I check for both cookies when they visit the site, then validate them against each other, then log them in automatically. While this doesn't "restore" their session, it allows them to stay logged in on my site when if they closed the browser. This was how I figured to do it, and I figure if someone did hijack or view another user's cookies, it would be near impossible to decrypt with the salt I used. The only information they would gain is the user's id.

Solution 4

session_start set's a cookie.

the cookie has a param cookie-lifetime

by default the cookie lifetime is set to 0

0 means until browser closed

View more solutions

15,399

dgund

https://dgund.com

Updated on June 04, 2022

Comments

dgund almost 2 years
I understand that PHP stores a user's session id in a cookie called "PHPSESSID" which is stored in the client's browser and is matched against the session on the server to be able to relate the 2. After closing the browser the session info dissapears but the cookie on the client remains. Is it possible to use this cookie to restore the old session? Or does all the session data get deleted from the server the moment the client closes their browser?

I had this on my page first:
```
session_start();
$_SESSION['message'] = 'Hello';

echo $_SESSION['message']; // outputs hello
```
then I changed the page to:
```
$old_session = session_id();
session_id($old_session);
session_start();

echo $_SESSION['message'];
```
Then I closed the browser and reopened it to this page and got these errors:
```
Warning: session_start() [function.session-start]: The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in C:\xampp\htdocs\localhost\test.php on line 5

Notice: Undefined index: message in C:\xampp\htdocs\localhost\test.php on line 7
```
How exactly does one retrieve old session info after closing the browser, is it even possible?
- zerkms over 12 years
  
  After closing the browser the session info dissapears but the cookie on the client remains. --- it is not correct. In most cases session id cookie life is set to "before browser isn't closed". $old_session = session_id(); session_id($old_session); --- this code makes no sense
Marc B over 12 years

Why not? The session ID is the value stored in the cookie. The session cookie's name is session_name(), and the value stored in it is session_id().
Tim Withers over 12 years

I just have never done it that way because I figured sessions are deleted off the server too soon (maybe a few hours or so of inactivity, unless I was to change the settings), and using a cookie method would allow the original session to be deleted but remain logged in.
Marc B over 12 years

the php session cookie doesn't store anything but the session id. if the session file's gone, then the session is gone and a new file will be created, leaving a blank session.
Admin over 12 years

I see, it's good to know that the server data is not deleted when the browser closes. I was able to work around the restoring need by creating another cookie and storing the current session_id() in it. Then when the browser was reopened I did session_id($_COOKIE['old_session']); and was able to get the prior session info back.
Arjan over 12 years

If you keep the user id and (salted) password in cookies on the client, then it's not very difficult for someone else to fake that information and log in that way. You do not need the plaintext password for it. It's better to store only user id and session id, and match the user id from the cookie with the one in the session. In case of a mismatch the session should be invalidated, so any hacker gets only one chance per session.
Paulo Lima almost 6 years

Old question but I would add that you CAN recover a session even after it was started as long as you call session_start(); before session_id($id); session_start(); This answer saved my day.
Jacob Bruinsma almost 3 years

Perfect. I've set a cookie with a long expiration, and now my session restores perfectly each time. Beware for browser settings that clear cookies on shutdown!