Session generation mechanism in PHP
Let’s take a look at how a session is generated in PHP. Sessions are designed to maintain various states for each user to compensate for the HTTP protocol’s shortcomings (statelessness).
Now we have a question, we all know that the session is stored on the server, if it’s used to maintain the state of each user what does it use to differentiate users? That’s where cookies come in. When we call session_start() in our code; PHP generates a file in both the SESSION directory (default: / TMP /) and the client’s cookie directory. The session file name looks like this:
Sess_ {SESSIONID}, there is nothing in the session file, when session_start(); Add these two lines of code:
$_SESSION['name'] = 'phper';
$_SESSION['blog'] = 'startphp.cn';
Copy the code
Now the file has content:
name|s:5:"phper"; blog|s:11:"startphp.cn";Copy the code
Now look at the cookie:
Can see that the server for us to automatically generate a cookie, entitled as “PHPSESSID” cookies, cookies content is a string of characters, in fact this string of characters is {SESSIONID}.
Maybe you already know, when we use session, PHP Mr Into a unique SESSIONID number (e.g., 2 bd170b3f86523f1b1b60b55ffde0f66), then in our server’s default directory to generate a file, The file name is sess_{SESSIONID}, and a cookie is generated on the current user’s client, as described. PHP will then generate a session ID for each user, meaning one session file per user.
PHP writes a cookie to the client the first time it uses a session for a user, and when the user accesses it in the future, the browser takes the cookie, and PHP reads the SESSIONID inside the cookie, Take the SESSIONID and go to the session directory and find the session file. When found, it is displayed when $_SESSION[‘blog’] is called.
2. Session expiration recycle mechanism in PHP
We understand how sessions are generated and how they work. We find that there are many session files in the session directory. Of course, these files don’t exist forever, and PHP must provide a mechanism to recycle them. In php.ini session. gc_maxLifetime sets the lifetime of the session (default: 1440s). If the last update date of a session file exceeds its lifetime by now, the session file is considered expired. It will be deleted the next time the session is reclaimed. So when is the next session recycle going to happen? It depends on the number of PHP requests. In PHP internals, a callback mechanism is triggered when PHP is requested N times. The number of times a request is triggered is controlled by two parameters:
session.gc_probability = 1
session.gc_divisor = 100
Copy the code
This is the default setting for php.ini, which means that one collection occurs for every 100 PHP requests. The probability is gC_probability/GC_divisor. Now that we’ve seen the session expiration mechanism on the server side, let’s look at the cookie expiration mechanism on the client side.
If the cookie is dead and the browser can’t send the cookie to the server, it doesn’t matter if the server’s session file exists because PHP doesn’t know which session file to read. We know that PHP’s cookie expiration time is set at creation time, so what is the lifetime of a cookie that PHP creates for a client while creating a session?
This is set in php.ini: session.cookie_lifetime. The default value is 0, which means that the SESSIONID expires when the browser closes. Cookie_lifetime = session.cookie_lifetime = session.cookie_lifetime = session.cookie_lifetime
3. Client storage mechanism of SESSION in PHP
As we can see from the above, if the user closes the cookie, our session will not work at all. Yes, that’s true. Is the client storage mechanism for session in PHP only cookie? Isn’t. Since our SESSIONID can’t be passed to pages via cookies, we have another trick, which is to pass values via page GET.
PHP can automatically pass the SESSIONID across pages by GET when cookies are disabled, provided that php.ini’s session.use_trans_sid is set to 1. PHP automatically adds the SESSIONID parameter to the link when cookies are disabled on the client and the link is clicked to another page, like nextPage.php? Bd170b3f86523f1b1b60b55ffde0f66 SESSIONID = 2.
I think you can see the downside of this approach: it’s a little insecure.
I hope the above content can help you. Many PHPer will encounter some problems and bottlenecks when they are advanced, and they have no sense of direction when writing too many business codes. I have sorted out some information, including but not limited to: Distributed architecture, high scalability, high performance, high concurrency, server performance tuning, TP6, Laravel, Redis, Swoft, Kafka, Mysql optimization, shell scripting, Docker, microservices, Nginx, etc. Many knowledge points can be free to share with you