Session Expiration Strategy Research session function session Timeout session mechanism

First of all, a little novice know the common misunderstanding: close the browser session expires. This kind of talk is completely wrong,

Whether or not the session expires is not necessarily related to how the client operates, he only has to do with how the server is set up.

The following views are used in the PHP language for example, using Chrome [48.0.2564.116 (official version) m (32-bit)] (note this, because the Firefox browser is closed after the PHPSESSID will be forcibly cached, the test will cause no)

Each user visits the site, the server automatically gives the user a session_id value, at which point the server and the client (here is the browser) have a session_id value of the same value.

All subsequent additions to the session data, modification, deletion, expiration everything is based on session_id value, session_id value, is like a key, communication between the client and the server on the session of all operations.

How does the idea of "closing the browser session expire" appear on the internet?

First of all, if the server code does not perform special operations, the effect is really "close the browser session expires", for example, some websites close the browser and then open to re-login, but this does not mean that the session expired, session_id value still exists in the server, session_id point to the value is still there, the following code can be very good proof of this, I closed the browser and even switch the browser, b.php will always print out that data.

A Php:

b.php:

As long as you assign an initial value to session_id before Session_Start (), the current session will use that session_id value as the key to go like the server wants the data.

So here, B.php's session_id is always "5op1k5moghb1hprgkifgh7nv71", so long as the server's session_id value is not available, this data can always be obtained.

A session_start is a new session, if not deliberately assigned, then will produce a new session_id, the new session_id and the original "5OP1K5MOGHB1HPRGKIFGH7NV71" is not, The client naturally does not get the corresponding session data, then there will be "close the browser session disappears this misunderstanding."

Out of the wrong, let's discuss the real expiration strategy of the session. As I said before, session data expiration is only relevant to the server, where the expiration policy configuration of the session is modified in php.ini:

Three red lines affect the expiration strategy of the session respectively.

session.gc_probability = 1//session The probability of removal of the molecule

session.gc_divisor=1000//session the denominator of the probability of deletion

session.gc_maxlifetime=1440//24 minutes Delete Once

The default session expiration mechanism is deleted 24 minutes, and the chance of each session_id session being deleted is 1/1000.

We can manually change the three-line configuration to 1 to test, then we will find that even if we do not close the browser session value will expire. (The session value will be refreshed by default to expire, so even if it is set to 1 manual refresh again, which is related to the mechanism of the session itself)

The above describes the session expiration strategy research, including the content of the session, I hope that the PHP tutorial interested in a friend helpful.

