Omeka User Session


Could one of the Omeka developers please outline how the Omeka user cookies are generated?

For example, my current user cookie for a local install has a name of "5da7a3909d22f4fbdf2e6e3a589f5c75" and a value of "b7poikuo039sfbe4vlp0budjm6".

How are these values generated?

I would like to know because I need an external system to generate the login cookie and give it to the user.

Many Thanks

Some info I have found out.

The password hash stored in the database is generated with a combination of the randomly generate salt and the plaintext password.

sha1(salt + plaintext_password)

The salt is randomly generate when a new account is created.

substr(md5(mt_rand()), 0, 16)

Still haven't found out how the user cookies are generate but I'm determined to find out.

More soon.

Some more info.

The name for the session cookie is generate based on which directory on the server Omeka is installed in. Here is the code that produces the name.


So I'm my install that would evaluate to:


Which equals "5da7a3909d22f4fbdf2e6e3a589f5c75" as shown in my original post.

Now just need to work out how the session value is generate because this value changes everytime you login (and they are generated for guest users) but I cannot find out where they are stored.

Well I'm going to stop working on this today and get back on it tomorrow.

I just can't see how the user session cookie value is generate and where it is stored.

The value must be stored in a persistent storage of some kind because if I restart the server, it keeps me logged in after restart. It must also be capable of storing multiple sessions for the same user.

Anyway, I'll get back to work on this tomorrow.

You're correct on how the default session name gets generated, but there may be a simpler option for your needs.

If you look in application/config/config.ini, you will find an option called, which will manually specify the name of the cookie Omeka will use.

As for the session itself, it's stored using PHP's default session save handler, which basically means files in your server's temporary directory (look for sess_<session_id>).

Hi John,

Thanks for the tip regarding the session name and where they are stored.

In my Ubuntu installation the directory was /var/lib/php5.

These files don't look easy to parse so I'm going to login the user from my external system (Moodle btw) by sending a POST request to /admin/users/login and then parsing the return header for the last Set-Cookie that was sent and then re-sending that to the current user.

I must ask why you have chosen to store sessions in the file system rather than in the database?


Omeka uses Zend's session handling code more or less "out of the box." The default for Zend, as well as PHP, is to store session data in that way.

Using some Zend Framework configuration settings, you can change how an Omeka install stores its session data. There was a discussion about this a few months ago on the dev mailing list.

Thanks for info John.

The discussion looked liked it was going in the right direction and I agree with others that database session handling should be the default.