Reprint: How to Strictly limit the session expires after 30 minutes!

How to strictly limit the session expires in 30 minutes!
1. Set the lifetime of the client cookie to 30 minutes;
2. Set the maximum survival period of the session to 30 minutes;
3. Add a timestamp to each session value and then make a judgment call when the program is called;

As for why, let's first understand the basics of the session in PHP:

The duration of the session in PHP is 1440 seconds (24 minutes) By default, that is, if the client does not refresh for more than 24 minutes, the current session will be invalidated. Of course, if the user closes the browser, the session will be over, and there will be no sessions!
As you know, the session is stored on the server side, according to the client-provided SessionID to get the user's files, and then read the file, get the value of the variable, SessionID can use the client's cookie or Http1.1 protocol
Query_string (the "?" of the URL that is visited) Later) to the server, and then the server reads the Session Directory ...
To control the life cycle of the session, first we need to know about the php.ini settings for the session (open the PHP.ini file, in the [Session] section):
1, Session.use_cookies: The default value is "1", on behalf of SessionID using cookies to pass, the other is the use of query_string to pass;
2, Session.name: This is sessionid stored variable name, may be a cookie, it may be query_string to pass, the default value is "PHPSESSID";
3, Session.cookie_lifetime: This represents SessionID in the client cookie storage time, the default is 0, on behalf of the browser a close SessionID is void ... This is why the session cannot be used permanently!
4, Session.gc_maxlifetime: This is the session data in the server-side storage time, if more than this time, then the session data will be automatically deleted!
There are a lot of settings, but this is what this article is about, and here's how to set the session's survival cycle.
As mentioned earlier, the server through the SessionID to read the session data, but the General browser transfer of SessionID after the browser is closed, then we only need to set SessionID and save the human, not can ...
If you have permission to operate the server, it is very, very simple to set up, just the following steps:
1, the "Session.use_cookies" set to 1, the use of cookies to store SessionID, but the default is 1, generally do not modify;
2, change the "Session.cookie_lifetime" to the time you need to set (such as one hours, you can set to 3600, in seconds);
3, the "Session.gc_maxlifetime" set to "Session.cookie_lifetime" the same time;
It is clearly stated in the PHP documentation that the parameters for setting the session expiration date are session.gc_maxlifetime. You can modify this parameter in the php.ini file, or through the Ini_set () function. The problem is, after many tests, modify this
The parameters do not work at all, and the session duration remains the default value of 24 minutes.
Because of PHP's working mechanism, it does not have a daemon thread to periodically scan the session information and determine if it is invalid. When a valid request occurs, PHP is based on the global variable
Session.gc_probability/session.gc_divisor (also can be modified by the php.ini or Ini_set () function) to determine whether to start a GC (garbage Collector).
By default, session.gc_probability = 1,session.gc_divisor = 100, which means that there is a 1% possibility to start the GC. The GC's job is to scan all of the session information, minus the session's last fix with the current time.
Change time (modified date), compared with the session.gc_maxlifetime parameter, if the lifetime has exceeded Gc_maxlifetime, the session is deleted.
So far, it's all working. Then why does it happen that Gc_maxlifetime is invalid?
By default, session information is saved in the temporary file directory of the system as a text file. Under Linux, this path is typically \tmp, which is typically C:\Windows\Temp under Windows. When there is more than one PHP on the server
, they will keep their session files in the same directory. Similarly, these PHP applications will launch the GC at a certain probability, scanning all session files.

The problem is that when the GC is working, it does not differentiate between sessions at different sites. For example, site A's gc_maxlifetime is set to 2 hours, and Site B's gc_maxlifetime is set to the default of 24 minutes. When site B's GC starts, it sweeps
and delete all session files that are more than 24 minutes away, regardless of whether they come from site A or B. In this way, site A's gc_maxlifetime setting is no more than a dummy.
Finding the problem is a simple solution. Modify the Session.save_path parameter, or use the Session_save_path () function to point the directory where the session is saved to a dedicated directory, and the Gc_maxlifetime parameter is working properly.

Another problem is that gc_maxlifetime can only guarantee the shortest time that the session will survive, and not be able to save the session information immediately after it has been deleted. Because the GC is started by chance, it may be over a long period of time
Have not been activated, then a large number of sessions will still be available after more than Gc_maxlifetime.
One way to solve this problem is to increase the odds of session.gc_probability/session.gc_divisor, and if you mention 100%, it will solve the problem completely, but it will obviously have a serious impact on performance. Another way is to own
Determine the lifetime of the current session in the code, and if it exceeds the gc_maxlifetime, empty the current session.

(full content) original address: http://www.91xueke.com/2012/08/01/83.htm

Reprint: How to Strictly limit the session expires after 30 minutes!