Principles and solutions of how to keep the SESSION not expired in PHP

Source: Internet
Author: User
Tags http cookie php development environment
This article mainly discusses websessions, which generally have two types: client SESSION and server SESSION, the next most common one is how to maintain the SESSION in the PHP provided by JavaBeans, and some ideas about the latest project. there is a large form in it, it takes a lot of time for a user to complete the process. after a lot of hard work is done, the user finds that the SESSION has expired and the system has exited. Therefore, it is necessary to study how to set the SESSION and keep the SESSION online, the following are some experiences.

What is SESSION?
According to the WIKI, a SESSION is the interaction information between two communication devices. it is established at a certain time and becomes invalid after a certain period of time. Common sessions include tcp session, web session (http session), and login session.

According to the OSI model, sessions are implemented in different locations. sessions can be divided into several types: Application layer sessions, including WEB sessions (HTTP sessions) and telnet remote logon sessions. sessions are implemented at the SESSION layer, including Session Initiation Protocol (SIP) and Internet Phone Call; tcp session is implemented at the transport layer.

This article mainly discusses WEB sessions, which generally have two types:Client SESSION and server SESSIONThe latter is the most common one provided by Java Beans.

What is a SESSION?
Sessions are widely used in the computer field, especially in the network field. They can also be called Dialogue and SESSION. they generally refer to the state of storage between two communication devices, sometimes it occurs between the user and the computer (Login SESSION ).

Unlike stateless communication, a SESSION is usually used to store the communication status. Therefore, at least one of the communication parties needs to store the SESSION history to implement communication between the two parties.

How is a web session implemented?
When a browser communicates with a server over HTTP, it usually contains an HTTP Cookie to identify the status. Generally, there is a unique SESSIONID, and the SESSION usually records the user's authentication information and level.

The most common Http Session tokens in programming languages are JSESSIONID (JSP), PHPSESSID (PHP), and ASPSESSIONID (ASP). This identifier is usually generated by the hash function, the identity that uniquely represents the user. when the server communicates with the client, the user is stored as a GET or POST parameter on the client.

There are two methods to implement a SESSION: server-side SESSION and client SESSION. Each method has its own advantages and disadvantages.

Server-side SESSION implementation is easy and efficient, but it is difficult to handle server load balancer or high availability requirements. when the endogenous system does not have a storage device, it is also unavailable. Server load balancer can be achieved through a shared file system or forcing customers to log on to only one server, but this will reduce the efficiency. For devices that are not stored, you can also use RAM (refer to reference 6) to implement server-side sessions, this method is effective for systems with limited client connections (such as routing or access point devices ).

The use of client sessions can solve some server-side SESSION problems, such as avoiding load balancing algorithms, but it also produces some of its own problems. Client sessions use cookies and encryption technology to save statuses between different requests. After each dynamic page ends, the current SESSION is counted and sent back to the client. After each successful request, the cookie is sent to the server to "remember" the user's identity. The most important issue of client SESSION is security. Once a cookie is hijacked or tampered with, the security of user information is lost.

How to set a SESSION in PHP?
After setting up the PHP development environment, you can view the parts related to the SESSION through phpinfo:
SESSION module. in PHP V5.2.9, there are a total of 25 variables. The following are common settings:
The code is as follows:
Session. cookie_lifetime: Set the cookie expiration time for storing SESSIONID
Session. name: the COOKIE name of the SESSION. the default value is PHPSESSID.
Session. save_handler SESSION storage method. the default value is FILE.
Session. save_path Fedora is stored in/var/lib/php/session by default.
Session. gc_probability
Session. gc_pisor
Session. gc_maxlifetime three options are used to handle the probability of GC mechanism occurrence
Session. cache_limiter (nocache, private, private_no_expire, public)
Session. cache_expire these two options are used to cache the SESSION page

Let's first consider the first question: How long will the SESSION expire? How does it expire? If you want to use the SESSION in a PHP program, you must first reference session_start (). when this function is executed, it will be stored in the SESSION directory (if file handler is used) generate a SESSION file with empty content. at the same time, the browser will see a cookie named PHPSESSID, which stores the name of a hash SESSION.

SESSION expiration depends on a Garbage Collection mechanism. after a SESSION is created, it is stored as a file on the server. each time a client script accesses a SESSION variable, the access time of the SESSION file will be updated. Each access request is based on the SESSIONID stored by the client to request the unique SESSION stored on the server. when the client's cookie expires, it cannot know which SESSION to access, although the SESSION file on the server has not been recovered after expiration, this will cause a waste of server resources.

However, if we want the user's session to expire immediately, we can set the cookie. SESSION recycling is performed every time you access the page. the recovery probability is specified by session. gc_probability and session_gc_pisor. the default value is 1/100. If it is set to 1, the SESSION will be recycled every time it exceeds the lifecycle of the SESSION.

Two requirements:
1. keep the SESSION not expired or extend the SESSION expiration time;
2. make the SESSION expire immediately.

1. it is necessary to keep the SESSION from expired and extend the SESSION expiration time, especially when there are large forms in the internal application system. Think about the fact that your boss is filling out a form that just happened to meet the lunch time. keep the form and wait for dinner to come back, fill in the remaining content, and what he will see after submission. generally, it is a logon interface. To improve the user experience, the key is to keep the boss's form blank and we must extend the SESSION lifecycle.

You can set SESSION. gc_maxlifetime to keep the SESSION from expired and prolong the session expiration time. However, you must first ensure that the client cookie does not expire before gc is recycled. You can extend the session lifecycle by setting a long gc_maxlifetime. However, this is obviously not the best choice for server configuration for applications that require not all requests to be retained for a long time.
We know that the SESSION recovery mechanism is determined based on the last access time of the SESSION file. if maxlifetime is exceeded, the SESSION is reclaimed based on the recovery probability. Therefore, we only need to regularly access the SESSION, which can be implemented by refreshing the page. Based on this idea, the solution is available.

Regular access to pages through JS;
Use Iframe to regularly refresh the page;

Directly use a program to send an HTTP request, so that other elements are not embedded in the page;

The following is an implementation method that uses JS to send requests to ensure that the SESSION does not expire. in this way, we only need to maintain the SESSION for a long time (such as a large table single page ).
The code is as follows:

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.