1. Session generation mechanism in php
Let's first analyze how a session is generated in PHP. The purpose of designing a session is to maintain various states of each user to make up for the insufficiency of the HTTP protocol (stateless). We now have a question, we all know that the session is stored in the server, since it is used to maintain the state of each user, what does it use to distinguish users? At this time, you have to use cookies. When we call session_start(); in the code, PHP will generate a file each to the storage directory of SESSION (default is /tmp/) and the cookie directory of the client. session file names like this:
The format is sess_{SESSIONID}. At this time, there is nothing in the session file. When we add these two lines of code in session_start();:
Copy the code The code is as follows:
$_SESSION['name'] = 'wanchun0222';$_SESSION['blog'] = 'coderbolg.net'; Now the file has content:
Copy the code The code is as follows:
name|s:11:"wanchun0222";blog|s:13:"coderbolg.net";
Then look at the cookie again:
You can see that the server automatically generates a cookie for us, the cookie name is "PHPSESSID", and the content of the cookie is a string of characters. In fact, this string of characters is {SESSIONID}. Maybe you already understand that when we use session, PHP will first generate a unique SESSIONID number (such as 2bd170b3f86523f1b1b60b55ffde0f66), and then generate a file in the default directory of our server, the file name is sess_{SESSIONID}, and at the same time in the current user The client generates a cookie with the content already said. In this way, PHP will generate a SESSIONID for each user, that is, a session file for each user. When PHP uses a session for a user for the first time, it writes a cookie to the client. When the user accesses later, the browser will bring this cookie. After PHP gets the cookie, it will read the SESSIONID inside, and hold this SESSIONID Go to the session directory to find the session file. After it is found, it is displayed when calling $_SESSION['blog'].
2. The expired recovery mechanism of session in php
We understood the generation and working principle of the session, and found that there are many session files in the session directory. Of course, these files must not exist forever, and PHP must provide an expired recycling mechanism. In php.ini session.gc_maxlifetime sets the lifetime for the session (default is 1440s). If the last update time of the session file has exceeded the time-to-live by now, the session file is considered to be expired. It will be deleted when the next session is recycled. When will the next session be recycled? This is related to the number of php requests. In the internal mechanism of PHP, when PHP is requested N times, the recycling mechanism will be triggered once. How many times the request is triggered is controlled by the following two parameters:
Copy the code The code is as follows:
session.gc_probability = 1session.gc_divisor = 100
This is the default setting of php.ini, which means that a recycling happens every 100 PHP requests. The probability is gc_probability/gc_divisor . We understand the session expiration mechanism on the server side, and let's take a look at the client side cookie expiration mechanism.
If the cookie is invalid, the browser will not be able to send the cookie to the server. Even if the server's session file exists, it is useless, because PHP does not know which session file to read. We know that PHP's cookie expiration time is set at the time of creation, so how long is the life cycle of the cookie created by PHP for the client while creating the session? This is set in php.ini: session.cookie_lifetime. This value defaults to 0, which means that the SESSIONID will be invalid as soon as the browser is closed. That is to say, we can control the expiration time of the session by setting session.gc_maxlifetime and session.cookie_lifetime to the same value.
3. Client-side storage mechanism of session in php
From the above introduction, we can know that if the user turns off cookies, our session will not work at all. Yes, it does. Is the client-side storage mechanism for sessions in php only cookies? no. Since our SESSIONID cannot be passed to each page through a cookie, we have another magic weapon, which is to pass the value through the page GET.
PHP can automatically pass SESSIONID across pages through GET when cookies are disabled, provided that session.use_trans_sid of php.ini is set to 1. At this time, when we use session when cookies are disabled on the client side, and when the current page is linked to another page by clicking, PHP will automatically add the SESSIONID parameter to the link, like this: nextpage.php?SESSIONID=2bd170b3f86523f1b1b60b55ffde0f66. I think you should see the disadvantage of this method: it doesn't seem to be safe enough.
The original text comes from: https://www.linuxprobe.com/session-garbage-collection.html