Strictly control the instance for session timeout in php

In php, the session times out in 30 minutes by default, but sometimes it automatically times out in less than 30 minutes. This is inconvenient for many operations. Let's take a look at the solution to the 30-minute timeout.

First answer

The most common answer is: Set the Session expiration time, that is, session. gc_maxlifetime. This answer is incorrect for the following reasons:

1. first, PHP runs the session gc with a certain probability, that is, the session. gc_probability and session. gc_divisor (For details, refer to a small probability Notice of Session Gc for a deep understanding of PHP Principles). The default values are 1 and 100, which means there is a 1% chance, PHP will run Session gc when a Session is started. it cannot be guaranteed that it will expire in 30 minutes.

2. What about setting a high probability of cleaning? Why? Because PHP uses the modification time of the stat Session file to determine whether the file has expired. If this probability is increased, the performance will be reduced, PHP uses a "one" file to store Session variables related to a Session. Suppose I set a Session variable a = 1 five minutes ago, five minutes later, another Seesion variable B = 2 is set. The modification time of this Session file is the time when B is added, so a cannot be at 30 minutes, cleared. the third reason is as follows.

3. The default PHP (Linux as an example) is to use/tmp as the default Session storage directory, which is also described in the Manual as follows:

Note: If different scripts have different session. gc_maxlifetime values but share session data stored in the same place, the script with the minimum value clears the data. In this case, use this command with session. save_path.

 

That is to say, if two applications do not specify their own independent save_path, one is set to 2 minutes (assumed as A), and the other is set to 30 minutes (assumed as B ), when Session gc of A is run, Session files of application B will be deleted at the same time.

Therefore, the first answer is not "completely strict.

Second answer
Another common answer is: Set the carrier of the Session ID, and the Cookie expiration time, that is, session. cookie_lifetime. This answer is also incorrect, for the following reasons:

This expiration only indicates that the Cookie expires. In other words, the difference between the Cookie and the Session is that the Session expires on the server and the Cookie expires on the client (browser, even if you set Cookie expiration, this can only ensure that the Cookie (including Session ID) will not be sent when the standard browser expires. If you construct a request, you can also use the value of this Session ID.

Third answer
The use of memcache, redis, and okey is a correct answer. However, it is clear that the question will be followed up to ask you, what if you just use PHP?

Fourth answer
Of course, the interview is not for you, but for the sake of observing the closeness of thinking. In this process, I will prompt these traps, so in general, the practice that fits the meaning of the question is:

1. Set the Cookie expiration time to 30 minutes, and set the Session life time to 30 minutes.

2. Add Time stamp for each Session value.

3. Determine the timestamp before each access.

For foreign websites, refer to session. gc_maxlifetime.

Session. gc_maxlifetime specifies the number of seconds after which data will be seen as 'garbage' and potentially cleaned up. garbage collection may occur during session start (depending on session. gc_probability and session. gc_divisor ).
Note:

If different scripts have different values of session. gc_maxlifetime but share the same place for storing the session data then the script with the minimum value will be cleaning the data. in this case, use this directive together with session. save_path.

Note: If you are using the default file-based session handler, your filesystem must keep track of access times (atime ). windows FAT does not so you will have to come up with another way to handle garbage collecting your session if you are stuck with a FAT filesystem or any other filesystem where atime tracking is not available. since PHP 4.2.3 it has used mtime (modified date) instead of atime. so, you won't have problems with filesystems where atime tracking is not available.

Session. referer_check string
Session. referer_check contains the substring you want to check each HTTP Referer. if the Referer was sent by the client and the substring was not found, the embedded session id will be marked as invalid. ults to the empty string.
Session. entropy_file string
Session. entropy_file gives a path to an external resource (file) which will be used as an additional entropy source in the session id creation process. examples are/dev/random or/dev/urandom which are available on customized Unix systems. this feature is supported on Windows since PHP 5.3.3. setting session. entropy_length to a non zero value will make PHP use the Windows Random API as entropy source.
Session. entropy_length integer
Session. entropy_length specifies the number of bytes which will be read from the file specified above. Defaults to 0 (disabled ).
Session. use_cookies boolean

PHP principle-a small probability of Session Gc Notice

If PHP installed with apt is used in ubuntu/Debian, this prompt may be reported when Session is used.

PHP Notice: session_start (): ps_files_cleanup_dir:

Opendir (/var/lib/php5) failed: Permission denied (13)

In/home/laruence/www/htdocs/index. php on line 22 <li>

 

This is because, in PHP, if file_handler is used as the save handler of the Session, the Gc process of the Session will be run at each session_start.