PHP Session Timeout Strict control instance _php tutorial

PHP session default is 30 minutes timeout, but some time at all not to 30 minutes automatically timed out, this is inconvenient for a lot of operations, let us look at the resolution of 30 minutes timeout method.

The first kind of answer

Then, the most common answer is: Set the session expiration time, that is session.gc_maxlifetime, this answer is not correct, for the following reasons:

1. First, this PHP is a certain probability to run the session of the GC, that is, session.gc_probability and session.gc_divisor (Introduction to the deep understanding of PHP principles of the session GC is a small probability notice), the default value is 1 and 100, which means that there is a 1% chance that PHP will run the session GC at the start of a session. There is no guarantee that it will expire in 30 minutes.

2. What about a chance to clean up a large probability? Or is it inappropriate, why? Because PHP uses the stat session file modification time to determine whether or not to expire, if the increase of this probability will degrade performance, and secondly, PHP uses "a" file to save and a session-related sessions variable, suppose I set up 5 minutes ago a a=1 session variable, 5 minutes later set up a b=2 seesion variable, then the session file modification time is to add the time of the B moment, then a can not be in 30 minutes, was cleared. There is also a third reason.

3. PHP Default (Linux for example), is the default storage directory using/TMP as the session, and the manual also has the following description:

Note: If different scripts have different session.gc_maxlifetime values but share the same place to store session data, the script with the smallest values cleans up the data. In this case, use this directive with Session.save_path.

That is, if two applications do not specify their own independent Save_path, one set the expiration time is 2 minutes (assuming a), one set to 30 minutes (assuming B), then each time A's session GC runs, it will also delete the session that belongs to application B Files.

So, the first answer is not "completely strict" right.

The second kind of answer
There is also a common answer is: Set the session ID of the carrier, the expiration time of the cookie, that is, session.cookie_lifetime. This answer is also incorrect for the following reasons:

This expiration is only a cookie expires, in other words, it examines the difference between a cookie and a session, the session expires when the server expires, and the cookie expires in the client (browser) to ensure that even if you set a cookie expires, This only guarantees that the standard browser expires, does not send this cookie (contains the session ID), and if you construct the request, you can still use the value of the session ID.

The third kind of answer
Using Memcache, Redis, etc., Okey, this answer is a correct answer. However, it is clear that the question will continue to ask you, if you just use PHP?

Fourth kind of answer
Of course, the interview is not for you, but to examine the thoroughness of thinking. In this process I will suggest these traps, so in general, the practice of conforming to test instructions is:

1. Set the cookie expiration time to 30 minutes and set the session's lifetime to 30 minutes.

2. Add a time stamp for each session value.

3. Before each visit, determine the timestamp.

Foreign website Reference Session.gc_maxlifetime

SESSION.GC_MAXLIFETIME specifies the number of seconds after which data would be seen as ' garbage ' and potentially cleaned Up. Garbage collection may occur during session start (depending on session.gc_probability and session.gc_divisor).
Note:

If different scripts has different values of session.gc_maxlifetime but share the same place for storing the session data Then the script with the minimum value would be cleaning the data. In this case, the use of this directive together with Session.save_path.

Note:if You is using the default file-based session handler, your filesystem must keep track of access times (ATI Me). Windows FAT does not so you'll have to come up with another-to handle garbage collecting your session if you are Stu CK with a FAT filesystem or any other filesystem where atime tracking are not available. Since PHP 4.2.3 It has used Mtime (modified date) instead of Atime. So, you won ' t has problems with filesystems where atime tracking are not available.

Session.referer_check string
Session.referer_check contains the substring you want to check each HTTP referer for. If The Referer is sent by the client and the substring is not found, the embedded session ID would be marked as invalid. Defaults to the empty string.
Session.entropy_file string
Session.entropy_file gives a path to an external resource (file) which would be used as an additional entropy source in the Session ID creation process. Examples Are/dev/random or/dev/urandom which is available on many Unix systems. This feature was supported on Windows since PHP 5.3.3. Setting Session.entropy_length to a non zero value would make PHP use the Windows Random API as entropy source.
Session.entropy_length integer
SESSION.ENTROPY_LENGTH Specifies the number of bytes which would be read from the file specified above. Defaults to 0 (disabled).
Session.use_cookies Boolean

PHP principle of the session GC of a small probability notice

If you are using apt-installed PHP under Ubuntu/debian, you may have a small chance of encountering this hint when you use the session.

PHP Notice:session_start (): Ps_files_cleanup_dir:

Opendir (/VAR/LIB/PHP5) Failed:permission denied (13)

in/home/laruence/www/htdocs/index.php on line 22< li>

This is because, in PHP, if File_handler is used as the session's save handler, then there is a probability that the GC process of the session will run every time session_start.

http://www.bkjia.com/PHPjc/632202.html www.bkjia.com true http://www.bkjia.com/PHPjc/632202.html techarticle PHP Session By default is a 30-minute timeout, but some time is no more than 30 minutes automatically timed out, this is inconvenient for a lot of operations, let's look at the solution of 30 minutes time-out method ...

