Session learning in PHP

This article mainly introduces the session learning in PHP. It has certain reference value. Now I share it with you. Friends in need can refer to it.

Cookies and sessions are easy to confuse for newbies in web development. Two concepts, clarifying the two will help to better understand web interaction. Personally, I think the main differences between session and cookie are as follows:

cookie

The information is saved on the client

The specific implementation is determined by the client The end is responsible

The size and quantity of data are generally limited

Data is easily stolen and tampered

session

Data is saved on the server side

The server is responsible for the specific implementation

In principle, the size and quantity of data are unlimited

High security and strong credibility

Session in the narrow sense refers to the session id and associated data in the web session, and session in the broad sense refers to the interactive session between the communicating parties. For example, user login is a session interaction, withdrawing money from an ATM is a session interaction, and so on.

Details of session

The main function of session is to identify a session and save data during the session. The following are some details of the session.

Access

PHP obtains and stores all data in the session through the $_SESSION super global variable. $_SESSION is an array that can be easily assigned and read, for example:

$name = $_SESSION['NAME'];  // 读取session中的name值
$_SESSION['NAME'] = 'new name';   // 赋新值
unset($_SESSION['NAME']);     // 移除session中的值

Expiration time

Data in the default session may be removed after the session times out, depending on whether PHP runs garbage collection in time. Since the coefficient of PHP running garbage collection is the number of requests, the consequences are: 1. The session data of low-traffic sites is not removed for a long time after timeout; 2. High-traffic sites frequently perform session garbage collection; 3. Running garbage Users who encounter a garbage collection running may experience a system delay before the collection executes the user's request. A better solution is to disable PHP's default garbage collection and execute the session_gc function regularly with a cron task. This not only ensures the timeliness of the session, but also improves performance and user experience.

To manually remove data in the session, you can use unset to remove a single data item, or the session_destroy function to violently delete all data.

Storage media and serialization

The data in the session is saved on the disk in the form of a file by default. When the session is opened, the file content is read and deserialized, and then $ is filled. _SESSION array. In high-traffic sites, the directory where session files are stored will contain a large number of small files, which will cause a heavy IO burden on the file system.

The handler in the session module can specify the data storage method, such as storing it in a database, redis/memcache and other media. PHP's built-in handlers include files (default), redis and memcache. Users can register their own handler through session_set_save_handler.

The data stored in the session may be basic types such as strings, or complex types such as arrays and objects. The serialize_handler in the session settings is used to set the handler for serialization and deserialization. After the hanlder serializes the data, it is handed over to the save_handler for saving. It can be seen from serialization that types such as resources cannot and should not be saved in the session. The idea of ​​saving a DB connection handle to the session and then taking it out for use 10 minutes later should be discarded as soon as possible.

session setting name

Since http is a stateless protocol, the client needs to carry the session id when requesting in order for the server to distinguish the session. The default name that identifies the session id is PHPSESSID. You can use session_name to set other names. For example, in order to prevent attackers from guessing that the backend is a PHP language system, you can set the name of the session id to JSESSIONID to confuse attackers.

session automatically opens

The current mainstream PHP version will not automatically open the session by default. For example, a visitor just looks at the page and then leaves. If the session is automatically opened, the session ID will be sent to the client after a series of initialization operations so that the user can be identified the next time he visits. For one-time visitors, or non-system logged-in users, these operations will only bring additional overhead.

The disadvantage of not automatically opening the session is that before using the session, make sure the session is open, otherwise you may get empty data. If the default session name is renamed, session_name needs to be called before session_start to indicate the currently used session name.

Distributed session

For sites with large traffic, there is often more than one PHP server providing services on the back end. If the user's multiple requests do not land on the same server and the server's session data is not shared, the user may be required to log in repeatedly. The solution to this problem can be done by request distribution on the front end, or by setting up a distributed shared session on the back end.

In systems that save session data in the form of files, you can specify a directory as a shared directory, and all server sessions are saved in this directory; in systems that store sessions in redis/memcache/db, etc., configure the connection to Session sharing can be achieved with the same session server. In a system built with session sharing, the front-end load balancer can distribute requests to any server at will.

Related recommendations:

Getting PHP login session

PHP realizes multi-server SESSION sharing

The above is the detailed content of Session learning in PHP. For more information, please follow other related articles on the PHP Chinese website!