All geek questions in one place

Understanding Sessions in PHP

My questions:

  • session.gc_maxlifetime in php.ini : does session.gc_maxlifetime start from session_start () or the last server request? (Assuming I have multiple requests without calling session_start ().)

  • What is the best practice of using the $_SESSION object so as not to waste precious RAM (automatically flush idle sessions over time)? Or is it something that happens automatically at the time specified in session.gc_maxlifetime ?

  • How to check if a session has ended (unlike a session that has never been created)? Or are both the same? isset($_SESSION['any_variable']) === FALSE
  • Assuming I have no control over php.ini, how to increase session.gc_maxlifetime ?
  • session_start() : If a session has a timeout, calling session_start always starts a session with inaccessible previous variables (new session). It is right?
+6
source share
1 answer
  • Good question! I would suggest that the default file system session handler will be disconnected from last access, but not all file systems support the atime timestamp. I will see what I can learn on this front.
  • Sessions are stored as files on disk by default. They load only at boot time. If you have not created a user session handler that stores sessions on a RAM disk or memcache server or similar, or if you do not store a huge number of states in a user session, I doubt that memory usage will be a serious problem.
  • When session_start () is called, the previous session data is loaded into PHP. If the session has expired, then no session data will be downloaded and a new empty session will be created. So yes, if you check for the presence of the variable in $ _SESSION that you always expect, you can use this to determine if a user session has ended (but only after calling session_start ()).
  • Just set gc_max_lifetime for how long you want your sessions to last in seconds. 600 - 10 minutes, 86400 - one day, etc.
  • Yes (with some reservations, see below).

There are a few things you need to know with sessions. Firstly, there are two components for a session: a server-side state record that contains all the data stored in the session, and a client-side token that uses PHP to associate a specific user with a particular state record. Typically, the client-side token is a cookie. Cookies have their own expiration date, so it is possible that the session may expire before the session state needs to do so. In this case, the user will stop sending the token, and the session state will be effectively lost. If you adjust how long the session lasts, you need to set the expiration time on the server side and the expiration time on the client side.

Regarding the deprecated state, the session garbage collection system does not always start every time session_start () is called. If it were overhead, it would distort a large PHP site with many sessions. There are configuration parameters that determine the likelihood that the GC will work on any session_start call (I believe it is 1% by default). If it does not start, then the obsolete session record can still be considered valid and used to populate $ _SESSION. This will probably not have a major impact on your system, but this is what you need to keep in mind.

+1
source

Source: https://habr.com/ru/post/974961/

More articles:


All Articles