Detailed explanation of PHP-session case

This time I will bring you a detailed explanation of the PHP-session case. What are the precautions when using PHP-session? The following is a practical case, let’s take a look.

Cookie and session are two concepts that are easily confused by newbies in web development. Clarifying the two will help to better understand web interaction. Personally, I think the main differences between session and cookie are as follows:

cookie

The information is saved on the client

The client is responsible for the specific implementation

The size and quantity of data are generally limited

Data is easily stolen and tampered with

session

Data is saved on the server

The server is responsible for the specific implementation

In principle, the size and quantity of data are unlimited

High security and strong credibility

In the narrow sense, session refers to The session ID and associated data in the web session. In a broad sense, session refers to the interactive session between the communicating parties. For example, User login is a session interaction, withdrawing money from an ATM is a session interaction, etc.

Details of session

The main function of session is to identify a session and save data during the session. The following are some details of the session.

Access

PHP obtains and stores all data in the session through $_SESSIONSuper global variables. $_SESSION is an array that can be easily assigned and read. For example:

$name = $_SESSION['NAME'];  // 读取session中的name值
$_SESSION['NAME'] = 'new name';   // 赋新值
unset($_SESSION['NAME']);     // 移除session中的值

Expiration time

The data in the default session may be deleted after the session times out. Removed, depending on whether PHP runs garbage collection in a timely manner. Since the coefficient of PHP running garbage collection is the number of requests, the consequences are: 1. The session data of low-traffic sites is not removed for a long time after timeout; 2. High-traffic sites frequently perform session garbage collection; 3. Running garbage Users who encounter a garbage collection running may experience a system delay before the collection executes the user's request. A better solution is to disable PHP's default garbage collection and execute the session_gc function regularly with a cron task. This not only ensures the timeliness of the session, but also improves performance and user experience.

To manually remove data in the session, you can use unset to remove a single data item, or the session_destroy function to violently delete all data.

Storage media and serialization

The data in the session is saved on the disk in the form of a file by default. When the session is opened, Read the fileThe content is reversed Serialize and then populate the $_SESSION array. In high-traffic sites, the directory where session files are stored will contain a large number of small files, which will cause a heavy IO burden on the file system.

The handler in the session module can specify the data storage method, such as storing it in a database, redis/memcache and other media. PHP's built-in handlers include files (default), redis and memcache. Users can register their own handler through session_set_save_handler.

The data stored in the session may be basic types such as string, or complex types such as arrays and objects. The serialize_handler in the session settings is used to set the handler for serialization and deserialization. After the hanlder serializes the data, it is handed over to the save_handler for saving. It can be seen from serialization that types such as resources cannot and should not be saved in the session. The idea of ​​saving a DB connection handle to the session and then taking it out for use 10 minutes later should be discarded as soon as possible.

session setting name

Since http is a stateless protocol, the client needs to carry the session id when requesting in order for the server to distinguish the session. The default name that identifies the session id is PHPSESSID. You can use session_name to set other names. For example, in order to prevent attackers from guessing that the backend is a PHP language system, you can set the name of the session id to JSESSIONID to confuse attackers.

session automatically opens

The current mainstream PHP version will not automatically open the session by default. For example, a visitor just looks at the page and then leaves. If the session is automatically opened, the session ID will be sent to the client after a series of initialization operations so that the user can be identified the next time he visits. For one-time visitors, or non-system logged-in users, these operations will only bring additional overhead.

The disadvantage of not automatically opening the session is that before using the session, make sure the session is open, otherwise you may get empty data. If the default session name is renamed, session_name needs to be called before session_start to indicate the currently used session name.

Distributed session

For sites with large traffic, there is often more than one PHP server providing services on the back end. If the user's multiple requests do not land on the same server and the server's session data is not shared, the user may be required to log in repeatedly. The solution to this problem can be done by request distribution on the front end, or by setting up a distributed shared session on the back end.

In systems that save session data in the form of files, you can specify a directory as a shared directory, and all server sessions are saved in this directory; in systems that store sessions in redis/memcache/db, etc., Session sharing can be achieved by configuring connections to the same session server. In a system built with session sharing, the front-end load balancer can distribute requests to any server at will.

I believe you have mastered the method after reading the case in this article. For more exciting information, please pay attention to other related articles on the php Chinese website!

Recommended reading:

Detailed explanation of PHP ajax implementation of obtaining news data case

php curl batch processing to achieve controllable concurrency and asynchronous Detailed explanation of operation cases

The above is the detailed content of Detailed explanation of PHP-session case. For more information, please follow other related articles on the PHP Chinese website!