PHP session mechanism, from store to read

PHP, if you want to get session data, there must be a corresponding session_id,session_id to obtain the way there are two

1. Client-based Cookies

2. URL-based

First of all, the client-based cookie. Server-side scripts after the session is opened, the session is stored according to php.ini, which lists some

Session.save_handler defines the name of the processor that stores and obtains the data associated with the session. The default is files. If set to files (Session.save_handler = files), the PHP built-in mechanism is used, and if you want to customize the way you store it (such as in a database), use Session_set_save_handler () to customize the settings

Session.save_path defines the parameters passed to the storage processor (note 1). If the default files file processor is selected, this value is the path to the file that was created. The default is/TMP and can also be modified, such as Session.save_path = "e:/wamp/tmp". You can also use Session_save_path () in the script (must be set before Session_Start)

Example

Suppose the script is session.php

Session_save_path (getcwd(). " /session_folder "); // for convenience I have created a good session_folder this directory Session_Start (); $_session [' AA ']= ' BB '; $_session [' CC ']= ' DD ';

Run complete, view Session_folder directory

If there are multiple projects on a server, it is necessary to set different session_save_path for each project, because PHP will clean up the session file under the default Session directory according to the garbage collection mechanism of the session: When the PHP script for project A runs, it is very likely that the session file generated by the PHP script of Project B will be deleted. Therefore, each project takes a different session path, and in the Session_Start () before the specified session path, it does not interfere with each other.

Look at the name of the session file, where a large string behind Sess_ is session_id, can be set/read with session_id ();

Open this file and look at

Aa|s:2: "BB"; Cc|s:2: "DD";

This is the serialized processor of the session serialized data, the default value is php (Session.serialize_handler = php),

After the browser requests this file, the server returns such a response header

Response header

Cache-control:no-store, No-cache, Must-revalidate, post-check=0, pre-check=0
Connection:keep-alive
content-length:0
content-type:text/html; Charset=utf-8
Date:fri, 14:55:24 GMT
Expires:thu, 1981 08:52:00 GMT
Keep-alive:timeout=5, max=100
Pragma:no-cache
server:apache/2.4.9 (WIN32) php/5.5.12
SET-COOKIE:PHPSESSID=193THA35K5FJ547NBJ6O108AS3; path=/
x-powered-by:php/5.5.12

The yellow part is the cookie returned by the server

This cookie is generated by PHP,

Name: PHPSESSD;

This PHPSESSID is the session name, which is set in php.ini: Session.name = Phpsessid, or it can be read/set using Session_name ()

Value: 193THA35K5FJ547NBJ6O108AS3;

This ID value is the name of the file stored on the server side.

Path:/

The path is also set in php.ini: Session.cookie_path =/, can also be session_set_cookie_params () set or Session_get_cookie_params () read.

Also, check the life cycle of this cookie, lazy I'll just look at the browser.

You can see that the expiration time is when you close the browser.

This value is set in PHP.ini session.cookie_lifetime (session.cookie_lifetime = 0) and specifies the lifetime of the cookie sent to the browser in seconds. A value of 0 means "until the browser is closed." The default is 0. Also available with session_get_cookie_params () read or session_set_cookie_params () settings

In addition, I visited session.php again, using JS to read the cookie

So important data, JS unexpectedly read, in case of XSS attack how to do, no, this cookie can not be JS get, to set a

PHP.ini, Session.cookie_httponly=on, so JS will not get it

What if the user's browser disables cookies?

If cookies are disabled and PHP does not have additional settings, PHP cannot read the cookie and cannot get the session value because this is set by default in PHP.ini:

Session.use_only_cookies = 1, meaning that PHP can only save/get/modify session ID based on the value of PHPSESSID in the cookie, which is relatively safe and is recommended by PHP, so under this set value, If you disable cookies, you can't get to the session.

However, I just want to set/read the session value in the case of disabling cookies. PHP is also allowed, this is the second way to get the session, is based on the URL

PHP.ini has an option value: Session.use_trans_sid,

Set the Session.use_trans_sid=on, you can pass the session ID based on the URL, for example, I set session_id () in a hidden field when setting the session,

<input type= "hidden" name= "<?php Echo session_name ()?> value=<?php echo session_id ()?>>

Re-access Yes, I can use such as http://php.com/session.php? phpsessid=p7iqqncndjmf13si9r6bafg1h1 URL, so you can get the session, but it is very unsafe, strongly not recommended. Because the URL is stolen, it's over.

There is a precondition for using this configuration item is Session.use_only_cookies = 0

Note 1

That is, Session_set_save_handler () specifies the parameters of the processor, a method of the processor is set according to the manual

Session_set_save_handler   ( < Span class= "type" >callable  $open  , < Span class= "type" >callable  $close  , < Span class= "type" >callable  $read  , < Span class= "type" >callable  $write  , < Span class= "type" >callable  $destroy  , < Span class= "type" >callable  $GC  [, callable  $create _sid  ]),

The first of these methodsopen(string $savePath, string $sessionName),$savepath就是根据session.save_path的值来获得的

Most of the above are excerpted from the manual, you can go to the manual, more detailed, especially the session security aspects, pay more attention to.

PHP session mechanism, from store to read