Sessions within Joomla can be mystifying if you are unfamiliar with them. Pulling back the curtains reveals a pretty easy concept and one that you should be familiar with in case you run into some too-common issues, mainly around authentication and staying logged in, on your site.
The concept of a session is simple: it is a way to track a user through their visit to your website. Each page they view and what they do, actions they perform, etc is part of their session. It doesn't matter if the user is logged in or not, the session is still a part of every user's visit.
Once a session is over, the data stored for it is cleared and there's no history stored of that specific session long term.
A quick summary of how a session works and what it's good for is: Your browser and server work together to keep little nuggets of data about a visitor. That data helps change the next page the viewer loads to tailor it to them. The user's activities throughout your site ultimately may be saved to the database permanently as well.
If a session exists only while a user visits your site, and is cleared while they are gone, you may be asking.. what's the point then? The whole point of a session is to allow a user's actions on one page affect future pages they load or features they engage with. The most common example is simply authentication. The overall flow works like this:
That's it! A session simply stores information about the current visitor your site. There are likely tens, hundreds or thousands of sessions open at any time on a site, each one tracking a specific viewer of the page so that the content can be tailored to that user.
Other examples of session usage are through various forms, like lead-generators, contact us pages or registration flows. As the user enters more details into a form, the session can store that data so that all of it is processed after each page of the form is complete. For a lead-gen, the session may store that a form has been completed which will allow the viewer access to a download or some other reward.
A Joomla session has 2 components to it: A browser cookie and a database record. Knowing how each works helps to understand how and where each bit of data is stored.
The browser cookie is simply a random string of characters to identify the visitor. There are no personally identifable details in the cookie and no real data of use at all. The cookie is marked as a 'session' type of cookie, which means it will expire (be deleted automatically) when the browser is closed or cleaned by the browser after a set period of non-use; for instance, you haven't visited a page on the site that has used the cookie for 1 week. This latter case is useful for people that leave their computer running and never close their browser.
The use of a cookie is what gives your website a short-term memory. By providing it with each request, Joomla can look up the history of the current viewing session in the database record below.
The Joomla database then has a record associated with the random session cookie. Within that record, Joomla or any other extension can store data associated with that visitor. This data can be the user's ID, the parts of a form they've filled out, the blog posts they've read or any other information that may be useful for future page views during this visit.
While the browser cookie may remain for a long time, Joomla has a tighter restriction in the Global Configuration area for "Session Lifetime". This is the time limit (in minutes) that Joomla uses to clear out old sessions in the database that haven't been used recently. For example, if the Session Lifetime is set to 30, then when someone hasn't viewed a page or engaged with your site in 30 minutes, their session is expired and will be cleared.
After a session expires, the user will need to re-authenticate in order to be logged into your site.
When a session expires, all temporary data for that visit is erased, which means if the user was logged in, they won't be the next time they load a page. This is usually the desired behavior but, sometimes, if the session period is too short, a user can be logged out simply while creating a blog post or responding to a forum topic. If you have user generated content, or your users are being logged out unexpectedly, try increasing the session expiration.
On this site, we use a session timeout of 90. That allows users to register, read about our social network integration extension for Joomla, purchase or interact with our forums while giving them plenty of time for each step and no chance of being logged out along the way. That's also short enough to prevent too many security problems on shared computers or keeping sessions open so long that the database has a huge amount of rows to store all the data.
Of course, sessions are just temporary bits of information about the user's current visit. Persistent information, like a user's profile, blog posts, forum threads and other bits are managed by each extension and persist even when the user leaves. The session is just the short-term memory of a user that helps your site build up it's long-term memory (persistent data) through more content.
Hopefully, this helped explain sessions, but is there something missing? Are you experiencing strange behavior you think may be related to a session problem? Let us know in the comments below!