1. let's first analyze how php generates a session. The purpose of the session design is to maintain the various statuses of each user to make up for the shortcomings of the HTTP protocol (stateless ). Now we have a question. we all know that the session is stored on the server... SyntaxHighlighter.
1. session generation mechanism in php
Let's analyze how a session is generated in PHP. The purpose of the session design is to maintain the various statuses of each user to make up for the shortcomings of the HTTP protocol (stateless ). We now have a question: we all know that the session is stored on the server. since it is used to maintain the state of every user, what does it use to differentiate the user? At this time, we need to use cookies. When session_start (); is called in the code, PHP will generate a file for each SESSION's storage directory (/tmp/by default) and the client's cookie directory. The session file name is as follows:
The format is sess _ {SESSIONID}. in this case, the session file does not contain any content. when we add these two lines of code in session_start:
$ _ SESSION ['name'] = 'wanchun0222 ';
$ _ SESSION ['blog '] = 'coderbolg. com ';
The file contains the following content:
Name | s: 11: "wanchun0222"; blog | s: 13: "coderbolg.com ";
Now let's look at the cookie:
We can see that the server automatically generates a cookie named "PHPSESSID". The cookie content is a string of characters, which are actually {SESSIONID }. You may have understood that when we use session, PHP will generate a unique SESSIONID (such as 2bd170b3f86523f1b1b60b55ffde0f66), and then generate a file in the default directory of our server, the file name is sess _ {SESSIONID}, and a cookie is generated on the current user's client. the content has already been said. In this way, PHP generates a session id for each user, that is, a session file for each user. PHP writes a cookie to the client when a user uses the session for the first time. when the user accesses the session later, the browser will carry the cookie. after receiving the cookie, PHP will read the SESSIONID, take this SESSIONID to the session directory to find the session file. Find it and display it when calling $ _ SESSION ['blog.
2. session expiration recycle mechanism in php
We understand the session generation and working principles and find that there are many session files in the session directory. Of course, these files do not always exist. PHP must provide an expiration recycle mechanism. In php. ini, session. gc_maxlifetime sets the session survival time (1440 s by default ). If the last update time of the session file exceeds the survival time, the session file is considered to have expired. In the next session
Will be deleted. When will the next session be recycled? This is related to the number of php requests. In the internal mechanism of PHP, When php is requested for N times, a recycle mechanism will be triggered once. The following two parameters are used to control how many requests are triggered:
Session. gc_probability = 1
Session. gc_divisor = 100
This is the default setting of php. ini, which means that every 100 PHP requests are recycled once. The probability is gc_probability/gc_divisor. We have learned about the session expiration mechanism on the server side. let's take a look at the cookie expiration mechanism on the client side.
If the cookie fails, the browser will naturally fail to send the cookie to the server. in this case, even if the server's session file exists, PHP does not know which session file to read. We know that the expiration time of the PHP cookie is set at the time of creation. How long is the lifecycle of the cookie created for the client when the PHP creates the session? This is set in php. ini: session. cookie_lifetime. The default value is 0, indicating that the browser will expire when SESSIONID is disabled. That is to say, we can set session. gc_maxlifetime and session. cookie_lifetime to the same value to control the session expiration time.
3. session client storage mechanism in php
From the above introduction, we can know that if the user closes the cookie, our session will be completely unable to work. Yes, it is. Does the session client storage mechanism in php only support cookies? No. Since our SESSIONID cannot be passed to various pages through cookies, we also have another magic weapon, that is, to pass values through page GET.
PHP can automatically pass the SESSIONID across pages through GET when the cookie is disabled, provided that the session. use_trans_sid of php. ini is set to 1. When the session is disabled on the client, and you click link to another page on the current page, PHP automatically adds the SESSIONID parameter to the link, as shown in the following figure: nextpage. php? SESSIONID = 2bd170b3f86523f1b1b60b55ffde0f66. I think you should have seen the disadvantages of this method: it seems that it is not safe enough.
: Reprinted from: Blue Hawaii