Sessions and Cookies
The purpose of this article is to describe how PHP Sessions and Cookies are used in Symphony CMS and how that affects the user of a website powered by Symphony. I won't get into great detail about the general usage of sessions and cookies because Googling those terms will turn up several good tutorials.
When a new visitor views a Symphony powered site a cookie is placed on the visitor's computer, a session record is stored in the site database and some parameters are set. The session and cookie are related through a unique key that is stored in both. The cookie is set to expire two weeks from the time it is created. The session, however, doesn't contain an expiration date. It just keeps a record of the last time the visitor loads or refreshes a page on the site. The session record also contains a visitor's username and password if the visitor has logged in.
The parameters control the session garbage collection process. One is a "timeout" period that causes a session to be deleted when the visitor doesn't view the site for two weeks. Another two together determine the frequency of occurrence of garbage collection activity. They specify that, on average, only one of three instances of site activity by any visitor can result in garbage collection. Garbage collection is the process of deleting obsolete session records. A session record is considered obsolete if it contains no log-in information or if it hasn't been active for the past two weeks.
Now how does all this play out for a site visitor? When the site is first loaded it checks to see if the visitor's computer has a site cookie from a previous visit. If it doesn't, a cookie is created and a session is started. If it does, the site uses the key from the cookie to see if a matching session still exists and if the visitor is still logged in. If no matching session exists, a new session is started using the key from the cookie.
Site visitors who have no log-in privilege are affected very little by cookies and sessions. Visitors who can log in are able to stay logged in for up to two weeks if they don't log out before leaving the site on their previous visit.
The lifetime of an existing session is theoretically determined by both cookie expiration and garbage collection. But, since the key parameter for both is set to two weeks, cookie expiration will dominate in ending sessions. Cookies always expire two weeks after they are created, but a session can remain active forever if the elapsed time between visits never exceeds two weeks.