Home > Article > Backend Development > Comparatively complete PHP session (session time setting) usage entry code_PHP tutorial
Comparatively complete PHP session (session time setting) usage entry code_PHP tutorial
- WBOYOriginal
- 2016-07-21 15:52:26650browse
For Cookie, assuming we want to verify whether the user is logged in, we must save the username and password (possibly an md5 encrypted string) in the Cookie, and verify it every time the page is requested. If the username and password are stored in the database, a database query must be executed every time, causing unnecessary burden on the database. Because we can't do just one verification. Why? Because the information in client cookies may be modified. If you store the $admin variable to indicate whether the user is logged in, when $admin is true, it means logged in, and when it is false, it means not logged in. After passing the verification for the first time, $admin equals true will be stored in the cookie, and there will be no need to verify next time. Yes, is this right? Wrong, if someone forges a $admin variable with a value of true, doesn’t that mean he or she will immediately gain administrative rights? Very unsafe.
The Session is different. The Session is stored on the server side. Remote users cannot modify the contents of the Session file. Therefore, we can simply store a $admin variable to determine whether to log in. Set $admin after passing the first verification. The value is true. In the future, it will be judged whether the value is true. If not, go to the login interface, which can reduce a lot of database operations. And it can reduce the insecurity of passing the password every time to verify the cookie (Session verification only needs to be passed once, if you do not use the SSL security protocol). Even if the password is md5 encrypted, it can be easily intercepted.
Of course, there are many advantages to using Session, such as easy control and user-defined storage (stored in a database). I won’t say much more here.
Does Session need to be set in php.ini? Generally not needed, because not everyone has the permission to modify php.ini. The default storage path of Session is the system temporary folder of the server. We can customize it and store it in our own folder. I will introduce this later. .
Start to introduce how to create a Session. Very simple, really.
Start the Session and create a $admin variable:
<?php
// Start Session
session_start();
// Declare a variable named admin and assign a null value.
$_SESSION["admin"] = null;
?>
If you use Seesion, or the PHP file wants to call the Session variable, it must be started before calling Session It uses the session_start() function. You don’t need to set anything else, PHP automatically completes the creation of the Session file.
After executing this program, we can go to the system temporary folder to find the Session file. The general file name is in the form: sess_4c83638b3b0dbf65583181c2f89168ec, followed by a 32-bit encoded random string. Open it with an editor and take a look at its content:
admin|N;
Generally, the content is structured like this:
Variable name | type: length: value ;
and separate each variable with a semicolon. Some can be omitted, such as length and type.
Let’s take a look at the verification program, assuming that the database stores the username and md5 encrypted password:
<?php
// After the form is submitted...
$posts = $_POST;
// Clear some whitespace characters
foreach ($posts as $ key => $value)
{
$posts[$key] = trim($value);
}
$password = md5($posts["password"]);
$username = $posts["username"];
$query = "SELECT `username` FROM `user` WHERE `password` = '$password'";
// Get query results
$userInfo = $DB->getRow($query);
if (!empty($userInfo))
{
if ($userInfo["username"] == $username)
{
// When the verification is passed, start the Session
session_start();
// Register the admin variable for successful login and assign the value true
$_SESSION["admin"] = true ;
}
else
{
die("Incorrect username and password");
}
}
else
{
die(" Wrong username and password");
}
We start Session on the page that requires user verification to determine whether to log in:
<?php
// Prevent global variables from causing security Hidden dangers
$admin = false;
//Start the session, this step is essential
session_start();
// Determine whether to log in or not
if (isset( $_SESSION["admin"]) && $_SESSION["admin"] === true)
{
echo "You have logged in successfully";
}
else
{
// Verification failed, set $_SESSION["admin"] to false
$_SESSION["admin"] = false;
die("You do not have permission to access");
}
?>
Isn’t it very simple? Just think of $_SESSION as an array stored on the server side. Each variable we register is the key of the array, which is no different from using an array.
What should I do if I want to log out of the system? Just destroy the Session.
<?php
session_start();
// This method is to destroy a certain variable that was originally registered
unset($_SESSION["admin"]);
// This method is to destroy the entire Session file
session_destroy();
>
Can Session set the life cycle like Cookie? With Session, does it mean to abandon Cookie completely? I would say that it is most convenient to use Session in combination with Cookie.
How does Session determine the client user? It is judged by Session ID. What is Session ID is the file name of the Session file. Session ID is randomly generated, so it can ensure uniqueness and randomness and ensure the security of Session. Generally, if the lifetime of the Session is not set, the Session ID is stored in the memory. After closing the browser, the ID is automatically logged out. After re-requesting the page, a new Session ID is registered.
If the client does not disable cookies, the cookie plays the role of storing the Session ID and Session lifetime when starting the Session.
Let’s manually set the lifetime of Session:
<?php
session_start();
// Save for one day
$lifeTime = 24 * 3600;
setcookie(session_name(), session_id(), time() + $lifeTime, "/" );
?>
In fact, Session also provides a function session_set_cookie_params(); to set the lifetime of Session. This function must be called before the session_start() function is called:
<?php
// Save for one day
$lifeTime = 24 * 3600;
session_set_cookie_params($lifeTime);
session_start();
$_SESSION ["admin"] = true;
?>
If the client uses IE 6.0, there will be some problems with the session_set_cookie_params(); function setting Cookie, so we still manually call the setcookie function to create it cookies.
What if the client disables Cookies? There is no way, the entire life cycle is the browser process. As long as you close the browser and request the page again, you have to re-register the Session. So how to pass Session ID? Passed through the URL or through a hidden form, PHP will automatically send the Session ID to the URL. The URL is in the form: http://www.openphp.cn/index.php?PHPSESSID=bba5b2a240a77e5b44cfa01d49cf9669, where the parameter PHPSESSID in the URL is Session ID, we can use $_GET to obtain the value, thereby realizing Session ID transfer between pages.
<?php
// Save for one day
$lifeTime = 24 * 3600;
// Get the current Session name, the default is PHPSESSID
$sessionName = session_name();
// Get the Session ID
$sessionID = $_GET[$sessionName ];
// Use session_id() to set the Session ID obtained
session_id($sessionID);
session_set_cookie_params($lifeTime); "admin"] = true;
?>
For virtual hosts, if all users' Sessions are saved in the system temporary folder, it will cause difficulty in maintenance and reduce the cost of maintenance. For security, we can manually set the save path of the Session file. session_save_path() provides such a function. We can point the Session storage directory to a folder that cannot be accessed through the Web. Of course, the folder must have read-write attributes.
$savePath = "./session_save_dir/";
// Save for one day
$lifeTime = 24 * 3600;
session_save_path($savePath);
session_set_cookie_params($lifeTime);
session_start( );
$_SESSION["admin"] = true;
?>
Like the session_set_cookie_params(); function, the session_save_path() function must also be called before the session_start() function is called.
We can also store arrays and objects in Session. There is no difference between operating an array and operating a general variable. When saving an object, PHP will automatically serialize the object (also called serialization) and then save it in the Session. The following example illustrates this:
<?php
class person
{
var $age;
function output() {
echo $this->age;
}
function setAge($age) {
$this->age = $age;
}
}
?>
setage.php
<?php
session_start();
require_once "person.php";
$person = new person();
$person->setAge(21);
$_SESSION[ 'person'] = $person;
echo "<a href='output'>check here to output age</a>";
?>
output.php
<?
//Set the callback function to ensure that the object is rebuilt.
ini_set('unserialize_callback_func', 'mycallback');
function mycallback($classname) {
$classname . ".php";
}
session_start();
$ person = $_SESSION["person"];
// Output 21
$person->output();
?>
When we execute the setage.php file, call Setage() method, set the age to 21, and serialize the status and save it in Session (PHP will automatically complete this conversion). When going to output.php, to output this value, you must deserialize it. Transform the object just saved, and because we need to instantiate an undefined class when deserializing, we define a later callback function that automatically includes the person.php class file, so the object is reconstructed and the current age is obtained. The value is 21, and then calls the output() method to output the value.
In addition, we can also use the session_set_save_handler function to customize the calling method of Session.