Hi, hopefully this is the right area to just ask a curious quick question. Sorry if wrong place:)
Basically I want to understand why flash messages are session based and if there are any better alternative methods.
Currently I keep being told using PHP sessions are bad. Use JWT instead etc. How would you get flash messages working without sessions?
Thanks a lot in advance
Not sure what you mean by flash messages.
I think this is what is mean by “flash messages”
So the general statement is that the intention of it is to self-contain and carry information.
What we’re exchanging here is not SECURE information. It’s a status message, so while using JWT may be advisable in certain circumstances, it’s overkill for what this is attempting to accomplish.
The simple statement is: I want information to persist between loads of a page within the same browser session.
Let’s take the situation SpacePhoenix has identified on another site:
So he’s got a page, register.php, which is doing some form of registration work. At the end of the work, he has a message that needs to be shown to the user, but he wants to show it on the home page that the user will be redirected to after register.php. (There are probably better ways to handle this, but i’m rolling with the scenario laid out before me.)
If this is being done as a full browser redirect, here’s the flow of operations:
There are several ways to accomplish this. Register.php setting a session variable is one of them. Note that if the user is registering for something, most likely register.php is setting up a PHP session and logging the user in automatically as a convenience, as there is no evidence of other technologies powering this exchange.
The idea of a session variable is that it is self-contained at the server - the browser does not have access to the information in the session, and so it is secure from interference (as long as your code doesn’t allow for interference…). That said, again, the message “Registered” is hardly a super-security-concern piece of information. I can make your flash box say “nyeh nyeh you stink” if i want to in my browser, regardless of whether or not it was session or javascript based.
My general philosophy is to keep information in the domain that produces it, until such time that it’s needed by another domain - if my server generates a piece of information that the browser never needs, but other pages in my server need them, i’ll keep that information in a server-based implementation such as a session variable.
The exception to this rule, in my opinion, is information that may be significantly delayed. A PHP server’s definition of a session is (unless server modifications are made) “15 minutes from the last activity that used the session”. Which makes sense, from a server perspective - the server has no idea if you’ve gone off to have a coffee break, or if you’ve left the site never to return, so it cleans up sessions after a certain amount of time of inactivity.
The browser however has a better idea of what you’re doing - if the browser hasn’t closed, you’re still in the same browsing session; so it can keep information around a lot longer, because it knows whether you’ve closed the browser and gone about your day or not. So its definition of a session can be a lot longer; if you leave your browser open for 6 hours, and come back to it, you’re still in the same javascript browsing session, and it’s still holding all of the data from when you went away.
Reminds me of a book store Shopping Cart I started and never finished.
HTML LocalStorage was used, which I liked because the user’s data is stored forever or until deleted. Implementation is currently on hold due to other more important issues 
This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.