The Universe Is Between Your Ears

Session State in Web Applications

Your web browser does not maintain a connection to the server between page loads.

When you go to a site, a new TCP connection is made to the web server to request the page. Once the page is sent, the server drops the connection. Then a new connection is made to the server for each stylesheet, Javascript source file, graphic, etc. that is specified on that page.

The server doesn’t really care who you are. It just serves up files on demand, as requested.

But if you are working on a website that needs to allow some sort of user login, then you need to keep track of who is who. You can’t treat every request for information identically and anonymously. And you can’t use the IP address to identify the user because so many users can be using the same IP behind a network address translating router or proxy server.

Generally what web applications do is send a cookie to your browser which stores a really long, hard to guess, number. Your browser sends that number back every time it requests something new from the server. The web application uses the number to get a table of variables which were stored earlier and your username and account details are available to build the next page.

There are two major worlds in web application programming: PHP and ASP. PHP is open source. ASP is Microsoft’s thing. Both environments provide session state management.

The default configuration in PHP stores the session identifier and variables in a file on the disk.

The default configuration in ASP stores the information in virtual memory.

In both cases you need to be careful about web hosting providers which use multiple web servers to serve up your files which are loaded from some central file server. Network Solutions’ shared hosting is just such a monster.

When a request comes in with a particular session ID (that long number) which was created on another physical web server, then the number is unique to the more recent server and a new session state is started without any variables at all. OOPS! You have to log in again.

In PHP and ASP, you can fix this by storing the session state to an SQL server.

There’s also an easier fix in PHP: set the PHP session save path to a directory on their file server near where your source files are stored.

The php.ini setting is session.save_path. Or, you can call the function session_save_path() before you call session_start().

You can tell if your host is using multiple web servers by running a php program like this:

<?php
session_start();
echo session_id()."<br/>";
var_dump($_SESSION);
echo "<br/>".$HTTP_SERVER_VARS['SERVER_ADDR']."<br/>";
echo $HTTP_SERVER_VARS["DOCUMENT_ROOT"]."<br/>";
echo session_save_path();  ?>

If you keep requesting the page, eventually you will see the IP address of the server change.

Happy programming!

Related searches: php session state lost, random session drops

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.