Session for PHP

Before you look at the session, hopefully you'll have time to get to the cookie mechanism, because part of the session is based on the cookie mechanism. Here's my blog about cookies:


http://blog.csdn.net/zch501157081/article/details/52028467

Unlike cookie technology, session data is stored on the server side. (This is the most essential difference between a cookie and a session, as the following is said)
So the session is how to distinguish which browser the conversation data belongs to.

One: The session data for different sessions is stored separately. exists in the session data area.

Two: For each data area, set a unique identity.

Third: The unique identification, assigned to the browser side, browser request to carry.

Visible, session technology, based on cookie technology. The identity of the session (Session-id) is stored in the browser's cookie.
So contrast with cookies:
Sessions session data itself, security is high (because he stores more data on the server side)
The amount of data to be carried on request, reduced. But I have to say that it will cause more or less pressure on the server.




Session Basic Operation Open Session

Only the core session function of session,php is turned on, in order to generate unique identification, assign identity to browser, store data to data area.

That

Managing session Data

Super Global array: $_session, complete all functions.
Check and delete and change





Note: Empty the session operation and delete all session data:

Note: This can not be used unset ($_session) to delete the session data, because he just deleted the $_session variable, and did not modify the session data area inside the value, so it can not be modified. The cycle of manipulating session files is mentioned below.


server-side session sessions data area

Default:
A separate session data area file stored in the temporary directory of the server-side operating system.

Storage mode (file), and its storage location (System temp directory) are configurable, configuration items: php.ini:
Way:

Position:

default annotation; Wamp in/wamp/tmp environment.


It is recommended that you modify it using Ini_set () instead of modifying the php.ini. The result of the modification is only valid for the current script cycle and does not affect other projects.


Modify Configuration:

Session-id stored in browser-side cookies

One : The browser side does not exist Session-id

When the browser requests to the server, it does not carry session-id.
The server side, because of its use of the session mechanism, generates Session-id, which is assigned to the browser side in response.

Second : The browser side already exists Session-id

When the browser makes a request to the server, it carries Session-id to the server side:
Server-side need to open the session mechanism, but because the browser has been carrying Session-id, there is no need to regenerate, directly using the browser to carry.

running process within the session cycle

As shown in the figure:

Is critical, indicating the running process within the session cycle, some of which will be mentioned below.

Points:
One: the determination of $sessionid

Two: $_session this variable, is initialized in the session_start () process (define and set the value)

Three: Only within the script cycle, operations $_session, rather than to manipulate the session data area.

Four: Only at the end of the script cycle will be processed in the current script cycle session data, stored to the session data
District.

Five: Each request is the same logic.

properties of Session data

Validity period, valid path, valid domain name, whether only secure connection transmission, whether it is HttpOnly


First: The session data is not like cookie data, and each value can set properties.
The properties of the session data are for all session data.

Second: The reason for the session data attribute is that the Session-id property stored in the browser-side cookie is caused.
Refers to the property of the cookie variable: phpsessid=xxxxxxxxxx, which affects the properties of the session data associated with it.





The above defaults are all made up of PHP's configuration items: php.ini: (The following can be found in the php.ini, given are the default values)

Session-id the name (key) of this cookie variable: session.name=phpsessid

Validity period: Session end (browser shutdown): session.cookie_lifetime=0;

Valid path: Valid path for session, full station valid. Session.cookie_path =/;

Valid domain name: current domain name session.cookie_domain =;

is only secure connection transfer: No. Session.cookie_secure =;

Whether it is httponly: no session.cookie_httponly =;


So how do you modify the properties of this cookie variable

1. Modify PHP.ini (not recommended)
2. Ini_set () before opening session. Each time before the session is opened.
3. Session_set_cookie_params ();(recommended)
The session mechanism is a function created specifically to set the properties of a cookie.
The grammar is simple to write.
Session_set_cookie_params (validity, valid path, valid domain, whether secure, whether HttpOnly);

Common modifications: Valid domain names and httponly

support for data types

Session support for a variety of data types, are supported. In addition to resources.

Visible, all types can be stored.


However, when you get the objects stored in the session, you must have the definition of the class to be available:
Otherwise the class will become like this

Destroy session

The function was called:
Session_destroy ()
The destruction session was performed.

The destroy session contains two jobs:

First: Delete the corresponding data area (file)
Second: Close session.

Session_destroy () simply deletes the corresponding data area file and does not delete the $_session variable.
The test is as follows:

Refresh once again:
There's no data.

Why does this happen, please refer to the running flowchart within the session cycle, when the session_start () is executed, the server takes the session content out of the file and assigns it to $_session, and Session_destroy () does not delete \$_ Session this variable, so the output will still have a value. (The next cycle will not have a value passed into the \$_session value).

then how to completely delete the content related to the current session.

You must delete the session file, $_session the variable, Session-id in the cookie

As follows

Session of garbage collection, GC

PHP session function, will automatically delete those expired server-side sessions data area files.


how to judge rubbish.

Determines whether the data area file is more than how long it has not been used. The default is 1440s.
This value can be configured:

In conjunction with, the last modification time, calculate whether expires. (Last activation time, as long as it is active (browser carrying SessionID access server) all at once)

how to delete.

When the session mechanism is opened. When executing session_start (), there is a probability to perform an operation to delete the expired session data area file. The default probability: 1/1000. Determined by the following configuration:
Possibility:

Cardinality (divisor):

That is, the default 1/1000 probability. Some people will say the probability is very small, but have to consider your one click will trigger a session_start.

Of course, you can also make changes according to your needs.

how to persist session

Persistent browser-side Session-id:
Session_set_cookie_params (3600)
Persistent server-side session data area:
Ini_set (' session.gc_maxlifetime ', ' 3600 ');

Cookie Disabled, session is available

No use.
But theoretically, it's possible.
Try to use non-cookies, to the server side, each request to pass Session-id.
Get,url
POST, the form element.
PHP supports this configuration and supports obtaining Session-id from the URL or form post data. and support automatically after URL and form, increase session-id data, automatic transmission:
This is to be configured in the php.ini, not in detail here. (It really doesn't work very often).

Some security measures for the session can be viewed
Http://netsecurity.51cto.com/art/201402/428721.htm