All geek questions in one place

How does PHP detect session timeout?

I am wondering how PHP detects that a particular session has ended.

In detail: I use the default session handler (file-based), with the default session lifetime, and so on. Everything in php.ini is by default.

If the session is now running, PHP checks (depending on non session.gc_divisor and session.gc_probability) if there are any timeouts. But where does PHP get the time of the last access session from the sessions to validate?

The session file itself contains only the workload, for example. x|i:1; for a $_SESSION['x'] = 1; therefore there is no information about the session access time.

I think that there is no information in the memory about the start time of the session, since the sessions still work after the server is completely restarted.

So where does PHP get information from? Is this a mtime / ctime session file comparison?

+6
source share
1 answer

The PHP session handler by default stores $ _SESSION data in a file using serialize() , in the directory specified by session.save_path . Typically, the file name looks like $filename = 'sess_' . session_id() $filename = 'sess_' . session_id() .

Since this is just a file, PHP can use the mtime file (last modification time) to determine which session files are out of date. Basically, this will capture all session files whose mtime exceeds session.gc_maxlifetime and unlink() . As you said, the probability of performing a cleanup is determined by the session.gc_* ini variables.

Now, if you create your own session handlers using session_set_save_handler() , it all comes out of the window, and now you have control over how the sessions are stored and cleared, but this explains the default behavior.

+8
source

Source: https://habr.com/ru/post/918285/

More articles:


All Articles