Detailed explanation of php session mechanism (generation mechanism, recycling mechanism and storage mechanism)

This article introduces in detail the relevant knowledge of the session generation mechanism, recycling mechanism and storage mechanism in PHP, and provides an in-depth understanding of the operating mechanism of PHP session. Friends in need can refer to it.

Contents of this section: php session mechanism

The usage of session in PHP is a must-have in many PHP tutorials. In this section, we will delve into the generation mechanism, recycling mechanism and storage mechanism of session in PHP to raise the understanding of session to a higher level.

The following content is collected and organized by (bbs.it-home.org). To learn PHP, please pay attention to the PHP programming column of this site.

1. Session generation mechanism in php

How to generate a session in php?

The purpose of designing session is to maintain various states of each user to make up for the shortcomings of the http protocol (stateless). Session is saved on the server. Since it is used to maintain the status of each user, what does it use to distinguish users? At this point you have to use cookies. When session_start(); is called in the code, PHP will generate a file each to the session storage directory (default is /tmp/) and the client's cookie directory.

The session file name is like this:

The format is sess_{SESSIONID}. At this time, there is no content in the session file. When these two lines of code are added to session_start();:

$_SESSION['name'] = 'wanchun0222'; $_SESSION['blog'] = 'coderbolg.net';

The file now has content:

name|s:11:"wanchun0222";blog|s:13:"coderbolg.net";

Look at the cookies again:

You can see that the server automatically generated a cookie for us. The cookie name is "PHPSESSID" and the cookie content is a string of characters. In fact, this string of characters is {SESSIONID}. Maybe you already understand that when we use session, PHP first generates a unique SESSIONID number (such as 2bd170b3f86523f1b1b60b55ffde0f66), and then generates a file in the default directory of the server. The file name is sess_{SESSIONID}, and at the same time, in the current user's The client generates a cookie, the content has already been mentioned. In this way, PHP will generate a SESSIONID for each user, which means one session file for each user.

PHP writes a cookie to the client when it uses a session for a user for the first time. When the user visits in the future, the browser will bring this cookie. After getting the cookie, PHP reads out the SESSIONID inside and holds it. This SESSIONID goes to the session directory to find the session file. After it is found, it will be displayed when $_SESSION['blog'] is called.

2. Session expiration recycling mechanism in php After understanding the generation and working principle of session, I found that there will be many session files in the session directory.

Of course, these files must not exist forever, and PHP must provide an expired recycling mechanism. In php.ini, session.gc_maxlifetime sets the survival time for the session (default is 1440s). If the last update time of the session file exceeds the survival time, the session file is considered expired. It will be deleted the next time the session is recycled. When will the next session be recycled? This is related to the number of php requests. In the internal mechanism of PHP, when PHP is requested n times, the recycling mechanism will be triggered once.

How many times a request is triggered is controlled by the following two parameters:

session.gc_probability = 1 session.gc_divisor = 100

This is the default setting of php.ini, which means that one recycling occurs every 100 PHP requests. The probability is gc_probability/gc_divisor . We have learned about the session expiration mechanism on the server side, and let’s take a look at the cookie expiration mechanism on the client side. If the cookie expires, the browser will naturally not be able to send the cookie to the server. At this time, it is useless even if the server's session file exists, because PHP does not know which session file to read.

PHP’s cookie expiration time is set when it is created, so what is the life cycle of the cookie created by PHP for the client when creating the session? This is set in php.ini: session.cookie_lifetime. This value defaults to 0, which means that the SESSIONID will become invalid as soon as the browser closes it. Setting session.gc_maxlifetime and session.cookie_lifetime to the same value can control the session expiration time.

3. Client storage mechanism of session in php If the user turns off cookies, the session will not work at all. Is the client-side storage mechanism of session in php only cookies? no. Since the sessionid cannot be passed to each page through cookies, there is another magic weapon, which is to pass the value through page get. PHP can automatically pass sessionid across pages through get method when cookies are disabled, provided that session.use_trans_sid of php.ini is set to 1.

At this time, when session is used when cookies are disabled on the client, and when the current page is linked to another page by clicking on it, php will automatically add the sessionid parameter to the link, like this: nextpage.php?sessionid=2bd170b3f86523f1b1b60b55ffde0f66.

Disadvantages: Not safe enough.