Home>Article>PHP Framework> Detailed explanation of session expiration time in laravel

Detailed explanation of session expiration time in laravel

藏色散人
藏色散人 forward
2020-07-11 16:10:31 6652browse

The following tutorial column fromLaravelwill introduce you to the session expiration time in laravel. I hope it will be helpful to friends in need!

Detailed explanation of session expiration time in laravel

In the process of project development, the front-end and back-end separation need to use session to save the user’s login information

This involves the validity period of the session

Session is divided into session validity period in php and session validity period in laravel

Their default validity period is

View session.gc_maxlifetime in php.ini

The default is 1440 seconds, which is almost 24 minutes

And laravel's session validity period is in config/session.php

'lifetime' => 120, 'expire_on_close' => false,

If 'expire_on_close' is set to If false, 'lifetime' is valid. If 'expire_on_close' is set to true, 'lifetime' is invalid.

About the specific use of laravel's session

Learning source: https://www.chenyudong .com/archives/laravel-session-use.html

Official document address: http://laravelacademy.org/post/7954.html

Use Laravel to develop applications and convert the original Copy the code. The previous code session used$_SESSION. I thought it would run well after transplanting it because it did not rely on other components. As a result, this

Undefined variable appeared: _SESSION

Laravel's session configuration file is configured inapp/config/session.php. When using it, you can take a look at the option settings and comments available in the session configuration file.

Laravel usesfileby default to implement session. She does not use PHP's native $_SESSION (php's native session depends on the location of php.ini), so it ignores PHP-related session functions, such assession_start(),$_SESSION. During the running process, Laravel will write session information in theapp/storage/session/directory, so this directory needs to have write permission, otherwise the session will not be written successfully.

In addition to using the default file as the session implementation, Laravel also supportscookie,Memcached,RedisanddatabaseThe back-end driver serves as the implementation of session. When necessary, you need to implement a session implementation yourself, such as in the interaction between WeChat public accounts and users. The session cannot be used directly, because the WeChat server makes the request every time, and the user cannot be identified by the source of the request.

Laravel's session brief API

Session's API is relatively simple. You can probably know what it means by looking at the Chinese documentation. But there are a few that are not easy to understand.

//session的永久保存(在不过期范围内) Session::put('key', 'value'); //等同于PHP的原生session $_SESSION['key'] = 'value'; //get操作 $value = Session::get('key', 'default'); //去除操作并删除,类似pop概念 $value = Session::pull('key', 'default'); //检测是否存在key Session::has('users'); //删除key Session::forget('key');

As long as the session does not expire, this correspondence is basically saved permanently and will exist for the next http request. Different from the following flash concept.

The concept of flash in laravel's session

But Laravel came up with the concept offlash flash, which confused me all of a sudden. This flash is valid for two requests (this time and the next request are valid), regardless of how many times this request is performed.

//保存key,value Session::flash('key', 'value'); //取值方法还是一样的 Session::get('key'); //刷新快闪数据时间,保持到下次请求 Session::keep(array('username', 'email'));

The concept of thisflashis different from the concept ofputabove.

  • put: As long as the session does not expire, this correspondence is basically saved permanently and will exist for the next request.
  • flash: The saved value can be used in this request and the next http request, but it will not exist the next time.

That is to say, the next request will be destroyed when it is used up. It will not make the session value become larger and larger, and some temporary data can be saved.

Usage scenarios for this situation include:

  • The user requests a page, an error message appears, and is redirected to a new page, which needs to display the previous data. (Although it can be passed through url parameters, there may be XSS vulnerabilities if not handled properly).
  • The user visited a page, and the filter found that it did not have permission. It saved the current page URL and redirected to the login page. If the login was successful, the value was taken out and redirected to the original page. (You may need to refresh the saved flash data here)

Session landing time

I naively thought thatSession::put# was used ##The function can save this variable. So my code is written like this:

class LoginController { public function login(){ Session::put('key','value'); print_r( Session::all() ); //取出来看看是否put成功 exit; //习惯性的调试都exit,不执行后续代码 //return Redirect::to(/); 框架在return后还会有后续的代码执行的 } }

As a result, the next request cannot find this Session, and looking at the

app/storage/sessiondirectory, no file is generated. Something feels wrong.

Later I saw a method on the Internet

Session::save(), so I also used it and found that the session file was successfully generated. So I felt that Laravel does not use PHP's native session, so it should do something after the controller to write the session to the file, instead of writing everyputoperation, which will cause IO operations Too frequent will affect performance.

View the code related to the call. After laravel is compiled, in

bootstrap/compiled.php

class Middleware implements HttpKernelInterface { ... public function handle(Request $request, $type = HttpKernelInterface::MASTER_REQUEST, $catch = true) { $this->checkRequestForArraySessions($request); if ($this->sessionConfigured()) { $session = $this->startSession($request); // 启动session $request->setSession($session); } $response = $this->app->handle($request, $type, $catch); // 调用controller的method if ($this->sessionConfigured()) { $this->closeSession($session); //关闭session $this->addCookieToResponse($response, $session); } return $response; } ... protected function closeSession(SessionInterface $session) { $session->save(); // 保存session $this->collectGarbage($session); } }

小提示:如果不知道函数调用情况,可以在controller中 throw new Exception();,然后在 /config/app.php的debug更改为 debug=>true。可以看到函数的调用关系。

可以看见,在调用完controller之后,调用了session->save()的方法,来主动的保存session。这样session才能落地保存起来,如果在controller或者view里面写了exit;,那么session是不会被保存的,除非主动的写Session::save()才能手工的保存起来。因此在debug调试的时候千万要注意啊。

The above is the detailed content of Detailed explanation of session expiration time in laravel. For more information, please follow other related articles on the PHP Chinese website!

Statement:
This article is reproduced at:cnblogs.com. If there is any infringement, please contact admin@php.cn delete