Wednesday, 11 December 2024

Session & Cookie in Server & each of their expiry

 https://security.stackexchange.com/questions/87269/how-is-the-session-id-sent-securely



Server creates session, creates session file with session ID, store needed information in session file,token etc, then instruct brower to set cookie to store the session ID.


Then during https communication, browser addes session ID into header for server to fetch :

 headers as Cookie:[Token]; [Other cookies];. T


Cookie and session file has different expiry time


Cookie expiry is set by server :

https://stackoverflow.com/questions/13154552/how-can-i-set-a-cookie-with-expire-time

  document.cookie = 'cookie=ok;expires='+now.toUTCString()+';path=/';
  //console.log(document.cookie);  // 'Wed, 31 Oct 2012 08:50:17 UTC'


Server session file removal (session ID expiry) is done through server config, it is differnt via different programming language
For PHP
https://stackoverflow.com/questions/2327681/how-does-a-server-judge-a-session-to-be-expired-and-how-can-the-expiry-time-be-c

First of all, don't confuse cookie settings (which are client-side) and garbage collection (which is server-side). Cookie settings only affect the expiration of the session_id. Session data may still exist on the server even if the browser has removed the cookie and, on the contrary, the server can remove the data while the session_id is still remembered by the browser.
The cookie can be set to expire when you close the browser or in a specific date and time (I believe the default option is the first one, but I'd have to check it). In both cases, if the user interacts with the site the cookie will remain valid since it's renewed on each response.
Session data is removed when the garbage collection is launched but you must take into account that:
  1. The garbage collection is started randomly, triggered by a page request.
  2. It removes session data not modified in more that gc_maxlifetime seconds.
  3. By default, session data is stored in files and PHP doesn't track what site owns what files. That means that storing sessions in the default shared location makes you lose control on session expiration: the site that's configured to keep session data for the shortest time is likely to remove data from other sites with longer time.
To sum up, if you want full control on your data lifetime you need to store session data in a private directory, e.g.:
session_save_path('/home/foo/sessions');
ini_set('session.gc_maxlifetime', 3*60*60); // 3 hours
ini_set('session.use_only_cookies', TRUE);
session_start();
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)