Exploring the session mechanism in php_PHP tutorial

1. Session generation mechanism in php

Let's first analyze how a session is generated in PHP. The purpose of designing session is to maintain various states of each user to make up for the shortcomings of the HTTP protocol (stateless). We now have a question. We all know that session is saved on the server. Since it is used to maintain the status of each user, what does it use to distinguish users? At this time, you have to use cookies. When we call session_start(); in the code, PHP will generate a file each to the SESSION storage directory (default is /tmp/) and the client's cookie directory. The session file name is like this:

The format is sess_{SESSIONID}. At this time, there is no content in the session file. When we added these two lines of code in session_start();:

         $_SESSION['name'] = 'wanchun0222';

$_SESSION['blog'] = 'coderbolg.com';

The file now has content:

name|s:11:"wanchun0222";blog|s:13:"coderbolg.com";

Now look at the cookie:

You can see that the server automatically generated a cookie for us. The cookie name is "PHPSESSID" and the cookie content is a string of characters. In fact, this string of characters is {SESSIONID}. Maybe you already understand that when we use session, PHP first generates a unique SESSIONID number (such as 2bd170b3f86523f1b1b60b55ffde0f66), and then generates a file in the default directory of our server. The file name is sess_{SESSIONID}, and at the same time, in the current user The client generates a cookie, the content has been stated. In this way, PHP will generate a SESSIONID for each user, which means one session file for each user. The first time PHP uses a session for a user, it writes a cookie to the client. When the user visits in the future, the browser will bring this cookie. After getting the cookie, PHP reads out the SESSIONID inside and holds this SESSIONID goes to the session directory to find the session file. After it is found, it will be displayed when $_SESSION['blog'] is called.

2. Session expiration recycling mechanism in php

We understand the generation and working principle of session, and find that there will be many session files in the session directory. Of course, these files must not exist forever, and PHP must provide an expired recycling mechanism. In php.ini, session.gc_maxlifetime sets the survival time for the session (default is 1440s). If the last update time of the session file exceeds the survival time, the session file is considered expired. Recycled in the next session

time will be deleted. When will the next session be recycled? This is related to the number of php requests. In the internal mechanism of PHP, when php is requested N times, the recycling mechanism will be triggered once. How many times a request is triggered is controlled by the following two parameters:

session.gc_probability = 1

session.gc_divisor = 100

This is the default setting of php.ini, which means that one recycling occurs every 100 PHP requests. The probability is gc_probability/gc_divisor. We have learned about the session expiration mechanism on the server side, and let’s take a look at the cookie expiration mechanism on the client side.

If the cookie expires, the browser will naturally not be able to send the cookie to the server. At this time, it is useless even if the server's session file exists, because PHP does not know which session file to read. We know that PHP's cookie expiration time is set when it is created, so what is the life cycle of the cookie created by PHP for the client when creating the session? This is set in php.ini: session.cookie_lifetime. This value defaults to 0, which means that the SESSIONID will become invalid as soon as the browser closes it. That is to say, we can control the session expiration time by setting session.gc_maxlifetime and session.cookie_lifetime to the same value.

3. Client-side storage mechanism of session in php

From the above introduction, we can know that if the user turns off cookies, our session will not work at all. Yes, that's true. Is the client-side storage mechanism of session in php only cookies? No. Since our SESSIONID cannot be passed to each page through cookies, we have another magic weapon, which is to pass the value through page GET.

PHP can automatically pass SESSIONID across pages through GET when cookies are disabled, provided that session.use_trans_sid of php.ini is set to 1. At this time, when we use session when cookies are disabled on the client, and when the current page clicks to link to another page, PHP will automatically add the SESSIONID parameter to the link, like this: nextpage.php?SESSIONID=2bd170b3f86523f1b1b60b55ffde0f66. I think you should see the shortcomings of this method: it seems not safe enough.

: Reprinted from: Blue Hawaii

http://www.bkjia.com/PHPjc/478552.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/478552.htmlTechArticle1. The session generation mechanism in PHP. Let’s first analyze how a session is generated in PHP. The purpose of designing session is to maintain various states of each user to make up for the HTTP protocol...