How do php apps identify a user after the session has timed out?
Posted
by Bill Zimmerman
on Stack Overflow
See other posts from Stack Overflow
or by Bill Zimmerman
Published on 2010-03-30T18:13:28Z
Indexed on
2010/03/30
18:23 UTC
Read the original article
Hit count: 397
I am trying to understand how PHP apps check to see if a user is logged in. I am specifically looking at mediawiki's code to try to help me understand, but these cases should be fairly common in all php apps.
From what I gather, the main cases are:
A user just logged in or was created, every time they visit the page PHP knows its them by checking data common to the $_SESSION variable and the cookie.
A user had the 'remember me' option checked on the login page a long time ago. They have a cookie on there computer with a tokenID, which is checked with a token on the server to authenticate them. In this case, there is no session variable, because the time between accesses could be weeks.
My question is, what happens when a user is logged in, but the PHP session times out and he wants to access a page? I would have assumed that there is no easy way for the server to know who the person is - and that they would have to be redirected to the login page.
However, mediawiki does just that. I've verified that the session files are deleted after X minutes, but when I hit refresh in mediawiki, it knows which user I am, and the 'token' variable is not included in the cookie.
© Stack Overflow or respective owner
