How to keep the session in PHP the principle and scheme introduction of _php

Source: Internet
Author: User
Keywords Php session Expired
Tags http cookie php development environment
How to keep the session in PHP and some thoughts caused by this recent project, there is a relatively large form, the user to complete it takes a lot of time, a lot of users spent the arduous completion, a submission found the session expired, the system exited, So the need to study how to set up a session and keep the session online is a bit of an experience.

What is a session?
As explained by the wiki, the session is an interactive message that exists between two communication devices, established at a certain time, and fails after a certain amount of time. Common sessions are: TCP session, WEB session (HTTP session), LOGIN session, and so on.

According to the OSI model, the sessions are implemented in different locations, the session is divided into several, one is the application layer session, including the Web session (HTTP session) and Telnet Telnet session, the session layer is implemented, including sessions Initiation Protocol (SIP) and Internet Phone Call, there is a TCP SESSION implemented at the transport layer.

This article mainly discusses the web session, which generally have two kinds: client session and server side session, the latter is the most common Java beans provided.

What does the session do?
In the computer field, especially in the network, the session is used in a very wide range, also can be called Dialogue (dialogue), conversation, etc., generally refers to the two communication devices stored between the state, and sometimes occurs between the user and the computer (Login SESSION).

Unlike stateless communication, the session is typically used to store communication states, so that at least one party in the communication needs to store the history of the session, thus enabling communication between the two.

How does the session (WEB session) be implemented?
When HTTP communication occurs between the browser and the server, it usually contains an HTTP Cookie to identify the state, usually with a unique SESSIONID, and the session usually records some of the user's authentication information and levels.

The most commonly used HTTP Session token in several programming languages is Jsessionid (JSP), Phpsessid (PHP), ASPSessionID (ASP), which is typically generated by a hash function that uniquely represents the user's identity, When the server communicates with the client, it is stored as a GET or post parameter on the client.

There are two ways to implement a session, server-side session and client session, both of which have advantages and disadvantages.

The server-side session is easy and efficient, but when it comes to load balancing or high availability requirements, it is difficult to deal with, and is not available when there is no storage device in the native system. Load balancing can be achieved by sharing a file system or forcing a client to log on to only one server, but this reduces efficiency. For devices that do not have storage, you can also use RAM (refer to reference 6) to resolve server-side session implementations, which are valid for systems that have limited client links (such as routing or access point devices).

The use of the client session can solve some problems of server-side session, such as avoiding the load balancing algorithm, but at the same time will produce some of their own problems. The client session uses cookies and encryption techniques to save state between different requests. At the end of each dynamic page, the current session is counted and sent back to the client. After each successful request, the cookie is sent back to the server to let the server "Remember" the user's identity. Client session The most important issue is security, and once the cookie is hijacked or tampered with, the security of the user's information is lost.

How do I set the session in PHP?
after setting up the PHP development environment, you can view the session-related sections through Phpinfo () including:
Session module, in PHP V5.2.9 version, there are 25 variables. Some of the usual settings are:
copy Code code as follows:
Session.cookie_lifetime set the cookie expiration time for storage SessionID
Session.name The cookie name for session, which defaults to PHPSESSID
Session.save_handler session, default to file
Session.save_path fedora is stored by default in/ Var/lib/php/session
session.gc_probability
Session.gc_divisor
Session.gc_maxlifetime These three options are used to deal with the probability of a GC mechanism occurring
Session.cache_limiter (nocache,private,private_no_expire,public)
Session.cache_expire These two options are used to cache the session's page

first to consider the first question, how long the session will expire, how did he expire? If you want to use the session in a PHP program, you must first refer to Session_Start (), the function is executed, it will be stored in the Session directory (if you use file handler) to generate a session file, the contents are empty, At the same time, the browser meets a cookie named Phpsessid, which stores the name of a hash session.

The expiration of the session depends on a garbage collection mechanism (garbage Collection), after the session is created as a file on the server, the client script each access to the session variable, session file access time will be updated. Each access is based on the client storage SessionID to request the server to store the unique session, when the client's cookie expires, there is no way to know which session to access, although the session file on the server has not been expired back, This can cause a waste of server resources.

But at the same time, if we want the user's session to expire immediately, we can do so by setting a cookie. Session recycling is done every time the page is visited, the probability of recycling is specified by Session.gc_probability,session_gc_divisor, the default is 1/100. If set to 1, the session must be reclaimed each time it exceeds the lifetime of the session to access it.

Two types of requirements:
1. Keep the session out of date or extend the session expiration time;
2. Expire the session immediately.

1. It is necessary to keep the session out of date and extend the session expiration time, especially in internal application systems or with large forms. Think of your boss in filling out a form, just meet lunch time, keep this form and so eat back, fill out the remaining content, submitted after he saw what, generally speaking is a login interface. To improve the user experience, the key is to make the boss's form a problem, we must extend the session's life cycle.

Keeping the session out of date and extending the session expiration time can be achieved by setting up Session.gc_maxlifetime, but first you need to ensure that the client's cookie does not expire before the GC performs the collection. By setting a longer gc_maxlifetime, you can extend the lifetime of the session, but for applications that are not always long-lasting, this is obviously not the best choice for a server configuration.
We know that the session's recovery mechanism is based on the last access time of the session file, and if it exceeds the maxlifetime, it is recycled according to the probability of recovery. So we just have to visit the session on a regular basis, and this can be done by refreshing the page, according to this idea, the solution is there.

To visit the page by JS regularly;
Use the IFRAME to refresh the page periodically;

The direct use of the program to send HTTP requests, so as to avoid embedding other elements in the page;

The following is the implementation of the hold session implementation using JS send request, so that we only need to maintain a long session of the page (such as large form page).
Copy the Code code as follows:



The URL after which a random number is added is to avoid this link request is cached by the browser.

2, so that the session immediately expires the method is more, we can Session_destroy (), can also use the above ideas, request a Session_destroy page.

Is the session safe?
The PHP Handbook explicitly writes: The session does not guarantee that the information stored in the session must be seen by his creator.

If you want to handle some remote operations safely, then HTTPS is the only option. Most basic, do not think that a user information in the session exists that the user must be himself, although the session of the information will give you he has been through the user name and password Authentication illusion. So, if you need to do some change password or similar things, let the user re-enter the password is a better choice.

Earlier versions of Apache did not use cookies to store PHPSESSID, but instead used the Url-rewrite, which, after each URL, would add phpsessid= to indicate that it belonged to the active session. The new version of Apache has set this property to off by default.
Copy the Code code as follows:
session.use_trans_id = 0;

So in this sense, extending the session for too long or keeping the session online is never a good thing for security. The ultimate solution is the user commits to jump to the login window, log in and back to fill the page, and all the data are still there. This implementation is now using AJAX to solve it should be no difficulty, every time at a certain point in the current user data post to a storage location, whether it is XML or JSON.

Supplements
You can use the method for scenarios where the client does not support javascript:
1, write a floating layer, shown in the topmost layer, if the user did not disable JS, then let the floating layer disappear;
2, all the input is set to disable, and then use JS set to Enabled;
Both of these methods are in the JS is disabled, all the functions are not available, how to use JS is disabled to make our application still working normally, this seems to be more difficult. The time it takes to achieve this and the effect you receive are weighed down.

  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.