Session of the working mechanisms are: to create a unique id (UID) for each visitor and store variables based on this UID. UID stored in a cookie, or will be conducted through the URL.
Production principle PHPSESSIONID algorithm is as follows:
hash_func = md5 / sha1 # may be arranged php.ini
PHPSESSIONID = hash_func (IP + current client time (in seconds) of the current time + (subtle) carrying the PHP + random number is produced)
From the above hash_func content sampled value data (*) in the analysis, the probability of multiple users on the same server when produced PHPSESSIONID repeated low (at least one million copies), it is envisaged, but the station can dynamically Web Server to 2000 / rps has been very tough.
In addition, if a hacker to guess a user's PHPSESSIONID, then he must also know that "client IP, the current time (seconds, subtle), random number" and other data before simulation.
php.ini configuration is as follows:
; Select a hash function for use in generating session ids. ; Possible Values ; 0 (MD5 128 bits) ; 1 (SHA-1 160 bits) ; This option may also be set to the name of any hash function supported by ; the hash extension. A list of available hashes is returned by the hash_algos() ; function. ; http://php.net/session.hash-function session.hash_function=0
[PHP session works]
The following description in order to transfer cookie PHPSESSID.
1. The client requests a php server address.
2. The server receives the request, the php script contains session_start ().
3. The server generates a PHPSESSID. (Default session storage mode is session.save_handler = files, stored as files. Generated session file name rule that sess_PHPSESSID, session file exists session.save_path in.)
4. The server response header Response Headers: Set-Cookie: PHPSESSID = 37vjjasgjdv2ouk1uomhgqkv50; path = /. The client generates a cookie to save this PHPSESSID.
5. In this case, the client's cookie which contains the PHPSESSID, after each client request header Request Headers: Cookie: PHPSESSID = 37vjjasgjdv2ouk1uomhgqkv50. After the server each time it receives a client request on the basis of this can
PHPSESSID to find the file server's session, this session by reading and writing to the file that is achieved superglobals attribute the session.
If the client is disabled cookie, cookie can not be used due to the transfer PHPSESSID, then each time the client requests, the server will re-establish a session file, and can not be reused by a session file by PHPSESSID, so the session also fails.
This situation can be set to transmit session.use_trans_sid PHPSESSID, concrete realization of the difference between the way the cookie is to PHPSESSID GET transmitted via HTTP. Which will address the full complement each request PHPSESSID parameter "url?
PHPSESSID = 37vjjasgjdv2ouk1uomhgqkv50 "to achieve.
[PHPcli mode by using the session session_id ()]
It can be obtained by PHPSESSID current session, you can also set the current session PHPSESSID through it.
The PHPcli this mode by setting, to achieve the purpose of the session, is very convenient.
E.g:
<?php // session_id('vingbrv8m64asth0nhplu9gmb7'); session_start(); $_SESSION[md5(rand(100,999))] = rand(100,999); var_dump($_SESSION);