How do php apps identify a user after the session has timed out?

Posted by Bill Zimmerman on Stack Overflow See other posts from Stack Overflow or by Bill Zimmerman
Published on 2010-03-30T18:13:28Z Indexed on 2010/03/30 18:23 UTC
Read the original article Hit count: 398

Filed under:
|
|

I am trying to understand how PHP apps check to see if a user is logged in. I am specifically looking at mediawiki's code to try to help me understand, but these cases should be fairly common in all php apps.

From what I gather, the main cases are:

  1. A user just logged in or was created, every time they visit the page PHP knows its them by checking data common to the $_SESSION variable and the cookie.

  2. A user had the 'remember me' option checked on the login page a long time ago. They have a cookie on there computer with a tokenID, which is checked with a token on the server to authenticate them. In this case, there is no session variable, because the time between accesses could be weeks.

My question is, what happens when a user is logged in, but the PHP session times out and he wants to access a page? I would have assumed that there is no easy way for the server to know who the person is - and that they would have to be redirected to the login page.

However, mediawiki does just that. I've verified that the session files are deleted after X minutes, but when I hit refresh in mediawiki, it knows which user I am, and the 'token' variable is not included in the cookie.

© Stack Overflow or respective owner

Related posts about php

Related posts about session