Home >Backend Development >PHP Tutorial >Variables explored in PHP kernel (5) - basic principles of session, basic principles of session_PHP tutorial
This time let’s talk about session.
Session can be said to be one of the most mentioned terms on the Internet. Its meaning is very broad and can refer to any complete transaction interaction (session): such as sending an HTTP request and receiving a response, or executing a SQL statement, which can be regarded as a Session. Unless otherwise specified, the Session mentioned in this article refers only to the HTTP session.
This article is the fifth article on PHP kernel exploration. It mainly includes the following aspects:
1. HTTP is stateless
We know that the HTTP protocol was originally an anonymous, stateless request/response protocol. Such a simple design allows the HTTP protocol to focus on the transmission of resources (HTTP is the Hypertext Transfer Protocol), thereby achieving better performance. However, this stateless design has also proven to hinder the development of interactive web applications. Typical examples include: e-commerce websites need to obtain user information to implement functions such as orders, shopping carts, and transactions, and SNS websites need to obtain user information and archive it. In order to build a real "social network", even movie and CD rental websites also need to obtain user information to provide personalized recommendations, thereby bringing better benefits. This means that some kind of technology must be used to identify and manage user information. Cookie and Session technologies were born in this context.
2. Session and Cookie
Speaking of Session, we have to mention Session’s good friend Cookie, because in many cases Session relies on Cookie to store its session_id. If we want to talk about the difference between Session and Cookie, I think everyone should be familiar with it. Some students can even easily recite the following common differences:
(1). Cookie is a solution for maintaining state on the client side, while Session is a technology for maintaining state on the server side. Therefore, Cookie is stored on the client side, while Session is stored on the server side.
(2). In most cases, Session needs to use Cookie as a carrier to store session_id. Therefore, if Cookie is disabled, the session_id must be obtained by other means (for example, through get or post) method to pass session_id to the server)
(3). Cookie expiration and deletion can only ensure the invalidation of the client's connection and will not clear the server-side Session
(4). Although by default, both Session and Cookie write files (Session can also write to database or other memory cache such as memcached), but Cookie depends on the browser settings: for example , IE6 limits a maximum of 20 cookies per domain name, and many browsers limit the size of cookies to no more than 4096 bytes.
More discussions about Cookies are beyond the scope of this article. Students who need to know more can refer to "HTTP Authoritative Guide" and "JavaScript Advanced Programming" With these two books, I believe you will have a deeper understanding of cookies.
3. Basic operations of Session in php
(1). session_start
bool <span>session_start</span> ( void )
session_start() is used to start a session. Generally speaking, when we use $_SESSION, we must first call session_start (or session.auto_start is configured in your php.ini ). So in the case of session.auto_start=false, is session_start necessarily the first function that must be called for session operation? The answer is no. Although under normal circumstances, when we need to operate a session, we basically put session_start() in the first line of the script. In fact, when session_start is called, all the parameters related to the Session have been initialized. After that, it cannot Session parameter information can be changed through functions such as session_name and session_set_cookie_params, session_save_path. Therefore, if you need to change the relevant parameters of the session, in addition to changing them in the ini file (or changing them through ini_set), you can also modify them through functions such as session_name, session_save_path, session_set_cookie_params, and these functions must be called before session_start . For example:
session_save_path('/root/xiaoq/phpCode/session'); session_start(); $_SESSION['index'] = "this is desc"; $_SESSION['int'] = 123;
(2). session_id()
session_save_path('/root/xiaoq/phpCode/session'); session_start(); $_SESSION['index'] = "this is desc"; $_SESSION['int'] = 123; print_r( session_id());//5rdhbe4k8k73h5g1fsii01iau5
session_save_path('/root/xiaoq/phpCode/session'); session_id("5rdhbe4k8k73h5g1fsii01iau5"); session_start(); print_r($_SESSION); /* Array ( [index] => this is desc [int] => 123 ) */
(4). session_write_close/session_commit
session_save_path('/root/xiaoq/phpCode/session'); session_start(); $_SESSION['index'] = "this is desc"; $_SESSION['int'] = 123; sleep(15);
session_save_path('/root/xiaoq/phpCode/session'); session_start(); $_SESSION['index'] = "this is desc"; $_SESSION['int'] = 123; session_commit(); sleep(15);
(5). session_destroy
session_save_path('/root/xiaoq/phpCode/session'); session_start(); $_SESSION['index'] = "this is desc"; $_SESSION['int'] = 123; unset($_SESSION); session_destroy();
3. session的ini配置
(1). session.save_handler
这个参数用于指定Session的存储方式(实际上是指定了一个处理Session的句柄)。可以是files(文件存储,默认), user( 用户自定义存储 ),或者其他的扩展方式(如memcache)。
(2). session.save_path
在使用session.save_handler=files的情况下,session.save_path用于指定Session文件存储的目录,如session.save_path= “/tmp”;这种配置下,所有的session文件都是写入一个目录的。这在某些情况下是有问题的(如有的系统单目录下支持的文件数是有限制的,而且,同一目录下文件过多,会造成读取变慢)。session.save_path还支持多级目录hash的方式:session.save_path = "N;/path"; 这种配置方式会将session文件分散到不同的子目录中,避免单目录文件文件过多。同样,这种配置方式也有较大的问题:如Session的GC是无效的,而且,PHP并不会自动为你创建子目录,需要手动创建或者通过脚本创建。
(3). session.name
在使用Cookie为载体的情况下,session.name指定存储session_id的Cookie的key( cookie中也是基于key=>value)。默认的情况下,session.name= PHPSESSID
session_name("NEW_SESSION"); session_start(); $_SESSION['index'] = "this is desc"; $_SESSION['int'] = 123;
(4). session.auto_start
这个参数用于指定是否需要自动开启session,在设置为true的情况下,不需要在脚本中显式的调用session_start(). 如果不是特殊需要,我们并不建议开启session.auto_start.
(5). session.gc_*
主要用于配置session GC的相关参数。关于这点,我们在后面会有详细讲解,这里暂时搁置
(6). session.cookie_*
主要用于配置session的载体cookie的相关参数信息,如cookie的path, lifetime, 域domain等。
1. session模块的初始化MINIT
前面我们提到,在php中,Session是以扩展的形式加载的,因此,它也会经历扩展的MINIT -> RINIT -> RSHUTDOWN -> MSHUTDOWN等阶段。PHP_MINIT_FUNCTION和PHP_RINIT_FUNCTION是php启动过程中两个关键点:在php启动时,会依次调用各个扩展模块的PHP_MINIT_FUNCTION来完成各个扩展模块的初始化工作,而PHP_RINIT_FUNCTION则在对模块的请求到来时作一些准备性工作。对于Session而言,PHP_MINIT_FUNCTION主要完成的初始化工作包括(注:不同版本的PHP具体处理过程并不完全相同,如PHP 5.4+提供了SessionHandlerInterface,这样可以通过session_set_save_handler ( SessionHandlerInterface $sessionhandler )的方式自定义Session的处理机制,而不必像之前一样使用冗长的bool session_set_save_handler ( callable $open , callable $close , callable $read , callable $write , callable $destroy , callable $gc [, callable $create_sid ] )):
(1). 注册$_SESSION超全局变量:
zend_register_auto_global("_SESSION", sizeof("_SESSION")-1, NULL TSRMLS_CC);
(2). 读取ini文件中的相关配置。
#define REGISTER_INI_ENTRIES() zend_register_ini_entries(ini_entries, module_number TSRMLS_CC)
因此,实际上是调用zend_register_ini_entries(ini_entries, module_number TSRMLS_CC)。关于ini文件的解析和配置,已经超出了本文的范畴,可以参考这篇文章:http://www.cnblogs.com/driftcloudy/p/4011954.html 。
PHP_INI_BEGIN() STD_PHP_INI_BOOLEAN("session.bug_compat_42", "1", PHP_INI_ALL, OnUpdateBool, bug_compat, php_ps_globals, ps_globals) STD_PHP_INI_BOOLEAN("session.bug_compat_warn", "1", PHP_INI_ALL, OnUpdateBool, bug_compat_warn, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.save_path", "", PHP_INI_ALL, OnUpdateSaveDir,save_path, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.name", "PHPSESSID", PHP_INI_ALL, OnUpdateString, session_name, php_ps_globals, ps_globals) PHP_INI_ENTRY("session.save_handler", "files", PHP_INI_ALL, OnUpdateSaveHandler) STD_PHP_INI_BOOLEAN("session.auto_start", "0", PHP_INI_ALL, OnUpdateBool, auto_start, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.gc_probability", "1", PHP_INI_ALL, OnUpdateLong, gc_probability, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.gc_divisor", "100", PHP_INI_ALL, OnUpdateLong, gc_divisor, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.gc_maxlifetime", "1440", PHP_INI_ALL, OnUpdateLong, gc_maxlifetime, php_ps_globals, ps_globals) PHP_INI_ENTRY("session.serialize_handler", "php", PHP_INI_ALL, OnUpdateSerializer) STD_PHP_INI_ENTRY("session.cookie_lifetime", "0", PHP_INI_ALL, OnUpdateLong, cookie_lifetime, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.cookie_path", "/", PHP_INI_ALL, OnUpdateString, cookie_path, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.cookie_domain", "", PHP_INI_ALL, OnUpdateString, cookie_domain, php_ps_globals, ps_globals) STD_PHP_INI_BOOLEAN("session.cookie_secure", "", PHP_INI_ALL, OnUpdateBool, cookie_secure, php_ps_globals, ps_globals) STD_PHP_INI_BOOLEAN("session.cookie_httponly", "", PHP_INI_ALL, OnUpdateBool, cookie_httponly, php_ps_globals, ps_globals) STD_PHP_INI_BOOLEAN("session.use_cookies", "1", PHP_INI_ALL, OnUpdateBool, use_cookies, php_ps_globals, ps_globals) STD_PHP_INI_BOOLEAN("session.use_only_cookies", "1", PHP_INI_ALL, OnUpdateBool, use_only_cookies, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.referer_check", "", PHP_INI_ALL, OnUpdateString, extern_referer_chk, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.entropy_file", "", PHP_INI_ALL, OnUpdateString, entropy_file, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.entropy_length", "0", PHP_INI_ALL, OnUpdateLong, entropy_length, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.cache_limiter", "nocache", PHP_INI_ALL, OnUpdateString, cache_limiter, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.cache_expire", "180", PHP_INI_ALL, OnUpdateLong, cache_expire, php_ps_globals, ps_globals) PHP_INI_ENTRY("session.use_trans_sid", "0", PHP_INI_ALL, OnUpdateTransSid) PHP_INI_ENTRY("session.hash_function", "0", PHP_INI_ALL, OnUpdateHashFunc) STD_PHP_INI_ENTRY("session.hash_bits_per_character", "4", PHP_INI_ALL, OnUpdateLong, hash_bits_per_character, php_ps_globals, ps_globals) PHP_INI_END()
(3). 自php 5.4起,php提供了SessionHandler和SessionHandlerInterface这两个Class, 因此还需要对这两个Class做相关的初始化工作。这是通过:
INIT_CLASS_ENTRY(ce, PS_IFACE_NAME, php_session_iface_functions);
INIT_CLASS_ENTRY(ce, PS_CLASS_NAME, php_session_class_functions);
2. session请求时的准备RINIT
PHP_RINIT_FUNCTION(session) 用于完成session请求之时的准备工作,主要包括:
(1). 初始化session相关的全局变量,这是通过php_rinit_session_globals来完成的:
static inline void php_rinit_session_globals(TSRMLS_D) { PS(id) = NULL;//session的id PS(session_status) = php_session_none;//初始化session_status PS(mod_data) = NULL;//session data PS(mod_user_is_open) = 0; /* Do NOT init PS(mod_user_names) here! */ PS(http_session_vars) = NULL; }
(2). 根据ini的配置查找session.save_handler,从而确定是使用files还是user( 或者是其他的扩展方式)来处理session:
if (PS(mod) == NULL) { char *value; value = zend_ini_string("session.save_handler", sizeof("session.save_handler"), 0); if (value) { PS(mod) = _php_find_ps_module(value TSRMLS_CC); } }
确定是user还是files来处理session的逻辑是由_php_find_ps_module来完成的,这个函数会依次查找ps_modules中预定义的module, 一旦查找成功,立即返回:
PHPAPI ps_module *_php_find_ps_module(char *name TSRMLS_DC) { ps_module *ret = NULL; ps_module **mod; int i; for (i = 0, mod = ps_modules; i < MAX_MODULES; i++, mod++) { if (*mod && !strcasecmp(name, (*mod)->s_name)) { ret = *mod; break; } } return ret; }
#define MAX_MODULES 10 static ps_module *ps_modules[MAX_MODULES + 1] = { ps_files_ptr,// &ps_mod_files ps_user_ptr//&ps_mod_user };
typedef struct ps_module_struct { const char *s_name; int (*s_open)(PS_OPEN_ARGS); int (*s_close)(PS_CLOSE_ARGS); int (*s_read)(PS_READ_ARGS); int (*s_write)(PS_WRITE_ARGS); int (*s_destroy)(PS_DESTROY_ARGS); int (*s_gc)(PS_GC_ARGS); char *(*s_create_sid)(PS_CREATE_SID_ARGS); } ps_module;
这意味着,每一个处理session的mod,不管是files, user还是其他扩展的模块,都应该包含ps_module中定义的字段,分别是:module的名称(s_name), 打开句柄函数(s_open), 关闭句柄函数(s_close), 读取函数(s_read) , 写入函数(s_write), 销毁函数(s_destroy), gc函数(s_gc),生成session_id的函数(s_create_sid)。例如,对于session.save_handler=files而言,实际上是:
{ "files", ps_open_files, ps_close_files, ps_read_files, ps_write_files, ps_delete_files, ps_gc_files, php_session_create_id }
#define PS_MOD(x) \ #x, ps_open_##x, ps_close_##x, ps_read_##x, ps_write_##x, \ ps_delete_##x, ps_gc_##x, php_session_create_id
上述宏定义我们也可以看出,session.save_handler不管是files, user,还是其他的session处理的handler(如memcache, redis等) 生成session_id的算法都是使用php_session_create_id函数来实现的。
我们花费了大量的精力来说session.save_handler, 其实是想说明:原则上,session可以存储在任何可行的存储中的(例如文件,数据库,memcache和redis),如果你自己开发了一个存储系统,比memcache的性能更好,那么OK, 你只要按照session存储的规范,设置好session.save_handler,不管是你在脚本中提供接口还是使用扩展,可以很方便的操作session数据,是不是很方便?
确定完session的save_handler之后。需要确定serializer, 这个也是必须的。Serializer用于完成session数据的序列化和反序列化,我们在session.save_handler=files的情况下可以看到,session数据并不是直接写入文件的,而是通过一定的序列化机制序列化之后存储到文件的,在读取session数据时需要对文件的内容进行反序列化:
session_save_path('/root/xiaoq/phpCode/session'); session_start(); $_SESSION['key'] = 'value'; session_write_close();
if (PS(serializer) == NULL) { char *value; value = zend_ini_string("session.serialize_handler", sizeof("session.serialize_handler"), 0); if (value) { PS(serializer) = _php_find_ps_serializer(value TSRMLS_CC); } }
PHPAPI const ps_serializer *_php_find_ps_serializer(char *name TSRMLS_DC) { const ps_serializer *ret = NULL; const ps_serializer *mod; for (mod = ps_serializers; mod->name; mod++) { if (!strcasecmp(name, mod->name)) { ret = mod; break; } } return ret; } static ps_serializer ps_serializers[MAX_SERIALIZERS + 1] = { PS_SERIALIZER_ENTRY(php_serialize), PS_SERIALIZER_ENTRY(php), PS_SERIALIZER_ENTRY(php_binary) };
typedef struct ps_serializer_struct { const char *name; int (*encode)(PS_SERIALIZER_ENCODE_ARGS); int (*decode)(PS_SERIALIZER_DECODE_ARGS); } ps_serializer;
if (auto_start) { php_session_start(TSRMLS_C); }
3. session_start
static PHP_FUNCTION(session_start) { php_session_start(TSRMLS_C); if (PS(session_status) != php_session_active) { RETURN_FALSE; } RETURN_TRUE; }
内部是调用php_session_start完成session相关上下文的设置, 其基本步骤是:
(1). 检查当前会话的session状态。
typedef enum { php_session_disabled, php_session_none, php_session_active } php_session_status;
(a). session_status = php_session_active
表明已经开启了session。那么忽略本次的session_start(), 但同时会产生一条警告信息:
A session had already been started - ignoring session_start()
(b). session_status = php_session_ disabled
if (PS(mod) == NULL || PS(serializer) == NULL) { /* current status is unusable */ PS(session_status) = php_session_disabled; return SUCCESS; }
如果session_status = php_session_ disabled, 无法确定session是否真不可用(比如我们在脚本中设置了session_set_save_handler),还要做进一步的分析。查找mod和serializer的过程与RINIT的类似。
(c). session_status = php_session_none
在session_status= php_session_ disabled和php_session_none的情况下,都会继续向下执行。
(2). 如果session_id不存在,那么内核会依次尝试下列方法获取session_id(为了方便起见,我们直接使用了$_COOKIE, $_GET, $_POST,实际上这样是不严谨的,因为这些超级全局变量是php内核生成并提供给应用程序的,内核实际上是在全局的symbol_table中查找)
a. $_COOKIE中
b. $_GET中
c. $_POST中
(3). 执行php_session_initialize完成session的初始化工作。
a. 安全性检查
if (PS(id) && strpbrk(PS(id), "\r\n\t <>'\"\\")) { efree(PS(id)); PS(id) = NULL; }
b. 为了稳妥起见,这里再次验证PS(mod)是否存在,如果不存在则返回错误。
c. session_id
如果session_id不存在,那么会调用相应模块的s_create_sid方法创建相应的session_id。实际上,不管是user, files还是memcache,创建session_id时都是调用的PHPAPI char *php_session_create_id(PS_CREATE_SID_ARGS);有兴趣的同学可以看看生成session_id的算法,比较复杂,由于篇幅问题,这里并不跟踪。
d. 尝试读取数据
if (PS(mod)->s_read(&PS(mod_data), PS(id), &val, &vallen TSRMLS_CC) == SUCCESS) { php_session_decode(val, vallen TSRMLS_CC); efree(val); } else if (PS(invalid_session_id)) { /* address instances where the session read fails due to an invalid id */ PS(invalid_session_id) = 0; efree(PS(id)); PS(id) = NULL; goto new_session; }
static void php_session_track_init(TSRMLS_D) { zval *session_vars = NULL; /* Unconditionally destroy existing array -- possible dirty data */ zend_delete_global_variable("_SESSION", sizeof("_SESSION")-1 TSRMLS_CC); if (PS(http_session_vars)) { zval_ptr_dtor(&PS(http_session_vars)); } MAKE_STD_ZVAL(session_vars); array_init(session_vars); PS(http_session_vars) = session_vars; ZEND_SET_GLOBAL_VAR_WITH_LENGTH("_SESSION", sizeof("_SESSION"), PS(http_session_vars), 2, 1); }
4. session的基本流程
5. session文件存储的问题
a. 文件锁带来的性能问题
flock(data->fd, LOCK_EX);
b. 分布式服务器环境下session共享的问题
Session file storage is actually stored on the server's disk, which will cause certain problems in a distributed server environment: Suppose you have three servers a, b, and c. Then the user's multiple requests may be directed to different servers according to the load balancing policy. Since the session files are not shared between the servers, it appears that session loss has occurred. Although this can be solved by user sticky sessions, it will bring about a bigger problem: the server cannot load balance, increasing the complexity of the server
c. In high concurrency scenarios, sessions and a lot of disk I/O
Based on the above reasons, in practical applications, many use distributed memory cache memcache or redis to store and share sessions. Full memory operation will greatly improve session operation performance.
The session exploration is basically over here, and there are still many problems that need to be solved:
These are not explained one by one. Interested students can track the source code implementation.
Due to the rush of time and limited personal level, there will inevitably be errors in the article. Welcome to point out and communicate. Finally, feel free to reprint the article, but please respect your personal achievements and indicate the source.
1. http://www.tuicool.com/articles/26Rrui
2. "The Definitive Guide to HTTP"
3. http://www.cnblogs.com/shiyangxt/archive/2008/10/07/1305506.html
4. http://blog.163.com/lgh_2002/blog/static/4401752620105246517509/
5. http://www.cnblogs.com/driftcloudy/p/4011954.html