Let’s first analyze how a session is generated in PHP. The purpose of designing session is to maintain various states of each user to make up for the shortcomings of the HTTP protocol (stateless). We now have a question. We all know that session is saved on the server. Since it is used to maintain the status of each user, what does it use to distinguish users? At this time, you have to use cookies. When we call session_start(); in the code, PHP will generate a file each to the SESSION storage directory (default is /tmp/) and the client's cookie directory. The session file name is like this:
The format is sess_{SESSIONID}. At this time, there is no content in the session file. When we added these two lines of code in session_start();:
$_SESSION['name'] = 'wanchun0222';$_SESSION['blog'] = 'coderbolg.net'; 这时文件就有内容了:
name|s:11:"wanchun0222";blog|s:13:"coderbolg.net";
Look at the cookie again now:
You can see that the server automatically generated a cookie for us. The cookie name is "PHPSESSID" and the cookie content is a string of characters. In fact, this string of characters is{SESSIONID}. Maybe you already understand that when we use session, PHP first generates a unique SESSIONID number (such as2bd170b3f86523f1b1b60b55ffde0f66), and then generates a file in the default directory of our server with the file namesess_{SESSIONID}, At the same time, a cookie is generated on the current user's client side, the content has already been mentioned. In this way, PHP will generate a SESSIONID for each user, which means one session file for each user. The first time PHP uses a session for a user, it writes a cookie to the client. When the user visits in the future, the browser will bring this cookie. After getting the cookie, PHP reads out the SESSIONID inside and holds this SESSIONID goes to the session directory to find the session file. After finding it, it will be displayed when calling$_SESSION['blog'].
We understand the generation and working principle of session, and find that there will be many session files in the session directory. Of course, these files must not exist forever, and PHP must provide an expired recycling mechanism. In php.inisession.gc_maxlifetimesets the lifetime for the session (default is 1440s). If the last update time of the session file exceeds the survival time, the session file is considered expired. It will be deleted the next time the session is recycled. When will the next session be recycled? This is related to the number of php requests. In the internal mechanism of PHP, when php is requested N times, the recycling mechanism will be triggered once. How many times a request is triggered is controlled by the following two parameters:
session.gc_probability = 1session.gc_divisor = 100
这是php.ini的默认设置,意思是每100次PHP请求就有一次回收发生。概率是gc_probability/gc_divisor。我们了解了服务器端的session过期机制,再来看看客户端的cookie的过期机制。
如果cookie失效了浏览器自然发送不了cookie到服务器,这时即使服务器的session文件存在也没用,因为PHP不知道要读取哪个session文件。我们知道PHP的cookie过期时间是在创建时设置的,那么PHP在创建session的同时为客户端创建的cookie的生命周期是多久呢?这个在php.ini中有设置:session.cookie_lifetime 。这个值默认是0,代表浏览器一关闭SESSIONID就失效。那就是说我们把session.gc_maxlifetime和session.cookie_lifetime设置成同一个值就可以控制session的失效时间了。
由上面的介绍我们可以知道,如果用户关闭了cookie,那我们的session就完全没法工作了。是的,确实是这样。php中session的客户端存储机制只有cookie吗?不是的。既然我们的SESSIONID 不能通过cookie传递到各个页面,那我们还有另一个法宝,就是通过页面GET传值的方式。
PHP可以在cookie被禁用时自动通过GET方式跨页传递SESSIONID,前提是设置php.ini的session.use_trans_sid为1。这时当我们在客户端禁用了cookie时使用了session,并在当前页面通过点击链接到另一页面时,PHP会自动在链接上添加SESSIONID参数,像这样:nextpage.php?SESSIONID=2bd170b3f86523f1b1b60b55ffde0f66。我想你应该看到了这种方式的缺点:好像不够安全啊。
The above is the detailed content of Understand the session garbage collection mechanism in php. For more information, please follow other related articles on the PHP Chinese website!