Usage of Session in PHP

PHP session usage and security issues and session considerations, session using the expiration time set to 0 of the cookie, and a unique identifier called the session ID (a long string of strings), The server-side synchronization generates some session files (you can define the save type of the session yourself) and connect with the user agency. The Web application stores the data associated with these sessions and lets the data pass through the pages as the user passes between them.

This article goes from:
Http://blog.chinaunix.net/u/27731/showart_259031.html

Visitors to the site are assigned a unique identifier, the so-called session ID. It is either stored on the client's cookie or passed through the URL.

Session support allows users to register any number of variables and keep them for use by individual requests. When a visitor visits a website, PHP automatically (if Session.auto_start is set to 1) or when the user requests (explicitly called by session_start () or Session_register () secretly calls) checks whether a specific session ID is sent in the request. If it is, the previously saved environment is rebuilt.

Transmission of 2.1 SessionID

2.1.1 Transfer sessin ID via cookie

Using Session_Start () Call session, the server side generates session ID hash value and the default value is PHPSESSID session name, and sends the variable to the client (default). PHPSESSID (session name), which is a 128-bit hash value. The server side will interact with the client through this cookie.
The value of the session variable is stored in a text file on the server machine after the internal serialization of PHP, and the client's variable name is PHPSESSID by default for the coolie of the corresponding interaction.
That is, the server automatically sends an HTTP header: header (' Set-cookie:session_name () =session_id (); path=/');
namely Setcookie (Session_name (), session_id ());
When a new page jumps from the page and calls Session_Start (), PHP checks the session data for the server-side storage associated with the given ID, and creates a new dataset if it is not found.

2.1.2 Sending session ID via URL
This method is only used when the user prohibits the use of cookies, as browser cookies are already common and are not available for security purposes.
<a href= "p.php?<?php print session_name () >=<?php print session_id ()?>" &GT;XXX&LT;/A&GT; You can also pass the session value via post.

2.2 Session Basic Usage example

<?php
page1.php
Session_Start ();
Echo ' Welcome to page #1 ';
/* Create session variable and assign value to session variable */
$_session[' favcolor '] = ' green ';
$_session[' animal ' = ' cat ';
$_session[' time ' = time ();

If the client uses cookies, it can pass the session directly to page2.php
Echo ' <br/><a href= "page2.php" >page 2</a> ';

If the client disables cookies
Echo ' <br/><a href= ' page2.php? '. Sid. ' >page 2</a> ';
/*
By default php5.2.1, the SID will have a value only if the cookie is written, if the session
The corresponding cookie already exists, then the SID will be (undefined) null
*/
?>

<?php
page2.php
Session_Start ();
Print $_session[' animal ']; Print out a single session
Var_dump ($_session); Print out the session value passed by page1.php.
?>


2.3 Use the Session function to control page caching.
In many cases, we want to determine whether our web page is cached on the client, or to set the cache's effective time, such as some sensitive content on our web page and to log in to view, if cached locally, you can directly open the local cache can not log in and browse to the Web.

Use Session_cache_limiter (' private '); You can control the page client cache and must be called before Session_Start ().
For more parameters see http://blog.chinaunix.net/u/27731/showart.php?id=258087 client cache control.

Controls the client cache time with session_cache_expire (int), unit (s), and is also called before Session_Start ().

This is just a way to control the cache using the session, and we can also control the cache of the control page in the header ().

2.4 Delete Session

Be implemented in three steps.
<?php
Session_destroy (); The first step: Delete the server-side session file, which uses
Setcookie (Session_name (), ", Time ()-3600); Step two: Delete the actual session:
$_session = Array (); Step three: Delete the $_session global variable array
?>

The use of 2.5 session in PHP large Web applications

For sites with large access, the default session storage method is not suitable, the current optimal method is to use the database access session. At this point, the function bool Session_set_save_handler (callback open, callback Close, callback read, callback write, callback destroy, callback GC) are the solutions that are provided to us to solve this problem.
The 6 functions used by the function are as follows:

1. bool Open () is used to open the session storage mechanism,

2. BOOL Close () closes the session store operation.

3. Mixde read () Use this function when loading session data from storage

4. BOOL Write () writes all data for the given session ID to the store

5. bool Destroy () destroys data associated with the specified session ID

6. BOOL GC () garbage collection of data in the storage system

See the PHP manual Session_set_save_handler () function for examples.
If you use a class to process, use the
Session_set_save_handler (
Array (' ClassName ', ' open '),
Array (' ClassName ', ' close '),
Array (' ClassName ', ' read '),
Array (' ClassName ', ' write '),
Array (' ClassName ', ' destroy '),
Array (' ClassName ', ' GC '),
)
Call the 6 static methods in the ClassName class. ClassName you can swap objects without calling a static method, but using static members does not produce objects, and it performs better.

2.6 Commonly used session functions:

BOOL Session_Start (void); Initialize session
BOOL Session_destroy (void): Deletes the server-side session Association file.
String session_id () ID of the current session
String Session_name () the name of the session currently accessed, which is the cookie name where the client holds the session ID. Default PHPSESSID.
Array Session_get_cookie_params () the details of the session associated with this session.
String Session_cache_limiter () controls client-side caching of pages using session
INI session_cache_expire () controls client cache time
BOOL Session_destroy () Delete the server-side file that holds session information
void session_set_cookie_params (int lifetime [, String path [, string domain [, bool secure [, BOOL HttpOnly]]]) is set with this The details of the session associated with the session
BOOL Session_set_save_handler (callback open, callback close, callback read, callback write, callback destroy, Callback G c) Define the function that handles the session (not by using the default method)
BOOL SESSION_REGENERATE_ID ([bool delete_old_session]) assigns a new session ID


2.7 Session security issues
By investing a lot of effort in trying to get the valid session ID of an existing user, with the session ID, they are likely to have the same capabilities as this user in the system.
Therefore, our main approach is to validate the validity of session ID.
<?php

if (!isset ($_session[' user_agent ')) {
$_session[' user_agent ' = $_server[' remote_addr '].$_server[' http_user_agent '];
}

/* If the user session ID is forged */
ElseIf ($_session[' user_agent ']! = $_server[' remote_addr ']. $_server[' Http_user_agent '] {
SESSION_REGENERATE_ID ();
}
?>


The 2.8 session is passed through a cookie and is passed through the SID differently:
In the case of the default configuration of the php5.2.1 session, when the session is generated, the server side will generate a pre-defined super global variable SID at the same time that the header Set-cookie is sent (that is, the write cookie and the thrown SID are equivalent.), when the $ _cookie[' Phpsessid ' is present, the COOKIE will no longer be written, and the Super global variable SID will no longer be generated, at which time the SID is empty.


2.9 Session Usage Example

<?php
/**
* Validity of the session
*
*/
function Sessionverify () {
if (!isset ($_session[' user_agent ')) {
$_session[' user_agent ' = MD5 ($_server[' remote_addr ')
. $_server[' http_user_agent ');
}
/* If the user session ID is forged, reassign session ID */
ElseIf ($_session[' user_agent ']! = MD5 ($_server[' remote_addr ')
. $_server[' Http_user_agent ')) {
SESSION_REGENERATE_ID ();
}
}

/**
* Destroy session
* Three steps to achieve the perfect, non-leakage
*
*/
function Sessiondestroy () {
Session_destroy ();
Setcookie (Session_name (), ", Time ()-3600);
$_session = Array ();
}
?>


Indicate:

The session header message has been sent for the same reason as the cookie.
In PhP5, the registry configuration options for all PHP sessions are programmable, and in general we do not need to modify their configuration. To learn about the session registry configuration options for PHP, refer to the session handler function at the manual.
Session of the time to save data, is serialized $_session array to storage, so there are serialization of problems, there may be a special character value to be encoded with the Base64_encode function, read the time and then use Base64_decode decoding

Usage of Session in PHP