Today, I sent a question to my microblog:
In my interview, I often ask a question: "How to set a 30-minute session expired?", we do not think that seemingly simple, here bread contains a lot of knowledge, especially suitable for the examination of the basic skills is solid, who will answer to try? Oh
Why do you ask this question?
1. I saw someone discuss the issue on the StackOverflow.
2. I often ask this question, so ~ ~
Here, I'll answer the question.
The first kind of answer
The most common answer, then, is to set the expiration time of the session, that is, session.gc_maxlifetime, which is incorrect for the following reasons:
1. First of all, this PHP is a certain probability to run the session of the GC, that is, session.gc_probability and Session.gc_divisor (refer to PHP using session encountered a permission Denied notice solution), this default value is 1 and 100, that is, 1% of the opportunity, PHP will be at the start of a session, run the sessions GC. There is no guarantee that it will expire in 30 minutes.
2. What about setting a big chance to clean up? It's still wrong. Because PHP uses the stat session file modification time to judge whether the expiration, if increases this probability to be able to reduce the performance, second, PHP uses "one" the file to save and a conversation correlation time variable, assumes that I had set up 5 minutes ago A a=1 the time variable, After 5 minutes to set up a b=2 seesion variable, then the session file modified time to add a time of B, then a can not be cleaned up in 30 minutes. There are also the following third reasons.
3. PHP Default (Linux for example) is to use/TMP as the default storage directory for the session, and the manual also has the following description:
Note: If different scripts have different session.gc_maxlifetime values but share the same place to store session data, the script with the smallest number will clean up the data. In this case, use this directive with Session.save_path.
That is, if there are two applications that do not specify their own independent Save_path, one setting expires at 2 minutes (assuming a) and one setting of 30 minutes (assuming B), then each time a session GC is run, it deletes sessions that belong to application B. Files.
So the first answer is not "completely strict" right.
The second kind of answer
Another common answer is to set the carrier for the session ID, the expiration time of the cookie, which is session.cookie_lifetime. This answer is also incorrect for the following reasons:
This expiration is only a cookie expired, in other words, the difference between the cookie and session, the session expires is the server expired, and cookies expire is the client (browser) to ensure that even if you set the cookie expired, This will only ensure that when the standard browser expires, the cookie (which contains the session ID) is not sent, and the value of this session ID can be used if the request is constructed.
The third kind of answer
Using Memcache, Redis, etc., Okey, this answer is a correct answer. However, it is obvious that the creator will continue to ask you, if you just use PHP?
The fourth kind of answer
Of course, the interview is not for the sake of you, but to examine the thoughtful nature of thinking. In the process I will be prompted with these traps, so generally speaking, the practice is:
1. Set the cookie expiration time by 30 minutes and set the session lifetime to 30 minutes.
2. Add time stamp for each session value.
3. Before each visit, judge the time stamp.
Finally, some students asked why to set the 30-minute expiration time: This, first of all, this is for the interview, second, the actual use of the scene, such as 30 minutes on the expired coupons?
:)