saving session info for long periods

@bsmbahamasApr 12.2010

hi guys, does anyone have a reliable way of tracking a web site visitor if they always use the same pc?

i’m thinking i could track their activity by i.p. address until they register as an official member, so i could automatically customize the site to each user, and then when they register i’d simply overwrite their i.p.-based username with the one the register with.

is ip based tracking more reliable than using php sessions?

i think i read that some sites like aol sometimes change i.p. addresses from page to page for the same user, and i know that where i work we all go through a proxy, so we all seem to be the same person based on i.p. alone.

i’m not concerned about them using to seperate pc’s like one at work and one at home.

just whether ip tracking would be better, or perhaps i could somehow make their original session last for a month or so, i assume they’d register within that time frame?

any suggestions? pros and cons?

by the way the tracking would simply be an array of categories like [php,css,javascript,dhtml,gardening,cooking] you get the idea, each user would get the same array of categories but as they interact with the site the array would re-arrange itself so that the areas they use most move to the front of the array, and the page would display content vertically down the page with the categories they use appearing closer to the top of the page i.e. the category order in the array would determine how the content based on categories are displayed vertically down the page.

to post a comment

PHP

6 Comments(s) _↴

@BIOSTALLApr 13.2010 — #If I were you I'd look at using Cookies. Cookies can last until a certain date (even never expire if you wanted) or until they are deleted by the user. Sessions are only intended for short usage and IP addresses are too unreliable. Like you say multiple people on a network appear with the same public IP address and people on dynamic IP addresses get a new one every day.

The only problem is if someone has cookies disabled, but I still think it's the best way to track the most visitors.

Hope that helps!

@PierceMooreApr 13.2010 — #...but cookies are incredibly insecure. Easily readable by any website.

PHP sets a timeout for sessions, that you can alter in php.ini. Remember, however, that making PHP sessions last longer leads to less secure code no matter what you do.

[B]Possible solution:[/B]

Set a timer in the session that will save the user's session details in a database, and automatically clear out those details if the time limit has been reached.

Thoughts?

@MindzaiApr 13.2010 — #...but cookies are incredibly insecure.[/quote]

No they are not inherently insecure, but even if they were, that would only matter if you store sensitive information in the cookie. There is no requirement to do that here.

Easily readable by any website.[/quote]

Unless the client is doing some very shady stuff, the only cookies that will be readable by a given site are those which were set by the same site. This is often an issue when the user's session cookie is the target, but in this case as long as the cookie contains only generic site customization options there is no issue even if the cookie is stolen by another user (and XSS attacks should be prevented anyway as a matter of good practice).

PHP sets a timeout for sessions, that you can alter in php.ini. Remember, however, that making PHP sessions last longer leads to less secure code no matter what you do.[/quote]

The default value for this setting is 0, or unlimited, so you won't get any benefit from adjusting it. Also there is nothing inherent in a session's length which leads to less secure code.

@OP - Presumably you want to persist the settings between requests, but it is not critical that any settings information is provided (as you provide defaults) - this seems like the ideal situation for a cookie.

@bsmbahamasauthorApr 13.2010 — #No they are not inherently insecure, but even if they were, that would only matter if you store sensitive information in the cookie. There is no requirement to do that here.

Unless the client is doing some very shady stuff, the only cookies that will be readable by a given site are those which were set by the same site. This is often an issue when the user's session cookie is the target, but in this case as long as the cookie contains only generic site customization options there is no issue even if the cookie is stolen by another user (and XSS attacks should be prevented anyway as a matter of good practice).

The default value for this setting is 0, or unlimited, so you won't get any benefit from adjusting it. Also there is nothing inherent in a session's length which leads to less secure code.

@OP - Presumably you want to persist the settings between requests, but it is not critical that any settings information is provided (as you provide defaults) - this seems like the ideal situation for a cookie.[/QUOTE]

i know that you should not store sensitive info in cookies. but cookies does seem like the best way to go.

but are you saying that the default php sessions is unlimited, and would still be active the next time they come back to my site?

what i'm trying to do is use a cookie or session to generate a unique username(since they have not registered yet) but i want it to remember them when they come back even if it is a week or two later. i know they can clear their cookies but what about sessions, are you saying that his session will remain active a week later, so he'd have the same session id when he came back?

i could easily have the script convert his i.p. address into a valid filename by replacing the dots with underscores, and using that file to remember his preferences whenever he came back, except that some i.p.'s are not reliable.

i could go the cookie route and hope they don't delete the cookie

or i could go the sessions route and probably identify them by the session id number, but only if the session will last for a couple weeks.

it's not of major importance and since the cookie will tag their local system and be retrieved when they come back that would suffice - i really only need to store a unique user id.

so perhaps i could generate a random 12-16 digit number and store that in the cookie as their temporary user id, i'd then create a preference file on my server to keep track of their preferences, so the cookie need *only* store the generated user id so i can identify them when they come back again, and when they decide to register it would simply rename their preference file to match their chosen username.

do php sessions store data on the visitors computer the way cookies do?

i'm very curious about how sessions work, i know they form a unique id and then keep passing it on but that's about it.

@MindzaiApr 13.2010 — #The unlimited session length setting determines how long PHP will keep a session active for - but that is only the server side of the equation. Since HTTP is a stateless protocol (ie, there is no built-in way of persisting information between requests), sessions work by sending a cookie to the client containing a session id. This cookie is then sent back to the server by the client along with any subsequent HTTP requests, and PHP can examine the cookie and tie a user up to their session data. However, clients will only keep these session cookies as long as they deem necessary. Usually, for web browsers, this is until the user closes the browser or tab. Some clients, including browsers such as firefox, can be configured to save your sessions when you close them, but generally once the user closes their browser or browser tab, session cookies will be deleted, and so when they come to your site again they will get a new session cookie and the whole process starts again.

If you set a time limit on the session via php.ini, then when this time limit expires (ie, when x seconds has passed since the session cookie was initially set), PHP will delete the session irrespective of whether the client tries to keep the session going or not.

Hopefully that helps you understand how it works a little, but the short answer is that no, session data will not be available every time the user visits your site. Cookies which you set (ie, not session cookies) however will be available, as long as the user has not deleted them.

If you want to assign a temporary username, you really have to consider this as just that, temporary. You can't rely on the cookie being present. If your system relies on being able to identify users consistently, you have no option but to force them to register.

Regarding your idea of storing user's data in a file - personally I would not bother. The cookie itself is already a text file, I'd just store the data there and be done with it (as long as it is nothing more sensitive than a username). This is also safer - if I want to access the temporary identity of any user I just have to make a cookie with the right id. Granted in reality you can mitigate this by generating unguessable ids, but you still have to write extra code and have extra hassle for no added benefit.

@bsmbahamasauthorApr 13.2010 — #The unlimited session length setting determines how long PHP will keep a session active for - but that is only the server side of the equation. Since HTTP is a stateless protocol (ie, there is no built-in way of persisting information between requests), sessions work by sending a cookie to the client containing a session id. This cookie is then sent back to the server by the client along with any subsequent HTTP requests, and PHP can examine the cookie and tie a user up to their session data. However, clients will only keep these session cookies as long as they deem necessary. Usually, for web browsers, this is until the user closes the browser or tab. Some clients, including browsers such as firefox, can be configured to save your sessions when you close them, but generally once the user closes their browser or browser tab, session cookies will be deleted, and so when they come to your site again they will get a new session cookie and the whole process starts again.

If you set a time limit on the session via php.ini, then when this time limit expires (ie, when x seconds has passed since the session cookie was initially set), PHP will delete the session irrespective of whether the client tries to keep the session going or not.

Hopefully that helps you understand how it works a little, but the short answer is that no, session data will not be available every time the user visits your site. Cookies which you set (ie, not session cookies) however will be available, as long as the user has not deleted them.

If you want to assign a temporary username, you really have to consider this as just that, temporary. You can't rely on the cookie being present. If your system relies on being able to identify users consistently, you have no option but to force them to register.

Regarding your idea of storing user's data in a file - personally I would not bother. The cookie itself is already a text file, I'd just store the data there and be done with it (as long as it is nothing more sensitive than a username). This is also safer - if I want to access the temporary identity of any user I just have to make a cookie with the right id. Granted in reality you can mitigate this by generating unguessable ids, but you still have to write extra code and have extra hassle for no added benefit.[/QUOTE]

ok i seem to understand sessions exactly the way you explained it. and yes i'd just need a temporary way of identifying them until they were ready to register.

registration will be free, i just wanted a way to start storing their preference from day one, and i'd tie that to their permanent user id once they register. if they register form day one, then they will be given a fresh preference file, but if the person was a frequent visitor they'd already have a temporary preference file that be linked to their username when the register rather than starting them with a new un-ordered preference file.

so i think i'll go with cookies to store a temp userid, once they register they would not need the cookie anymore as they'd have a permanent preference file on my server linked to their username.

thanks!

Also in #PHP _↴

accessing a variable using $_REQUEST even if it not exist DB data question (data input/display)creating form with out refreshing page?

Success!

Help @bsmbahamas spread the word by sharing this article on Twitter...

Tweet This

saving session info for long periods

6 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

saving session info for long periods

6 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

6 Comments(s) _↴

Also in #PHP _↴