In recent online exchanges, I found that people have many misunderstandings about the use of SESSION. Essentially, they do not understand how SESSION works.
When a SESSION session is opened, it will first send a cookie that uniquely identifies the session_id of the browser (the name is PHPSESSID and can be obtained through session_name()). In the same case as session.save_handler = files, in the specified directory of the server (such as temp) generate a file without suffix, the name is
'sess_" + 'session_id';
This completes the basic settings. Then the next time an http request is initiated, the browser will first send all cookie names and values under the current domain name, so that the server can read the session file based on the session_id in the cookie without confusing who the session belongs to.
This step is as follows:
SESSION sends a unique cookie variable session_id to the browser. This session_id variable has a name and a value. The variable name (name) defaults to PHPSESSID, and the variable value (value) is a string randomly generated by apach, similar to rvag9m368vim7k8g4v7k2ank70. The session_id usually refers to this unique string rvag9m368vim7k8g4v7k2ank70.
The details are as follows under the HTTP response header of FF:
session_start();
The above sentence in the program completes the above function. If the browser does not send the cookie of PHPSESSID, it will send one, and if it does, it will read the cookie, so that the same session can be maintained.
Well, now that we know how the session works, we can deduce that if we manually delete the file sess_rvag9m368vim7k8g4v7k2ank70 on the server side, the session will be invalid. If the browser cookie is invalid, the session will still be invalid.
In manual case:
On the server side, you can use
session_ destroy() or session_ unset()
to disable it.
On the browser side:
You can directly www.2cto.com
setcookie('PHPSESSID','',123);
Let the cookie expire, or another way, but not immediately
session_set_cookie_params($time);//The seconds on the current timestamp, such as 60, that is, let it expire after 60 seconds, Do not use timestamp + set by yourself time.
The above mentioned are all about letting the session expire early, but is it possible to directly delay the session? In addition to modifying the configuration (session.gc_maxlifetime), the expiration time is set in session.gc_maxlifetime in php.ini. At this time, there is a probability that session.gc_probability /session.gc_divisor will be recycled. If this time is reached and the GC process is started, the GC will read the modification time (mtime) of the session file and find that it is greater than session.gc_maxlifetime after subtracting the current time, and delete it immediately. At this point, we understand how to maintain this session. It can only be maintained within session.gc_maxlifetime. A user must be accessing it. The session must be modified every time it is accessed. This way, the session will have more survival time than session.gc_maxlifetime. .
In addition, let’s talk about session.cookie_lifetime, which sets the survival time of PHPSESSID in the browser. The default is 0. I found it to be normal under IE. The cookie will become invalid when the browser is restarted; it continues to exist under FF. To set session.cookie_lifetime, you can use session_set_cookie_params,
session_set_cookie_params(60);//60 s
session_start();
session.gc_maxlifetime和session.cookie_lifetime 共同决定了session的生存时间。
-------------------------------------------------------------
刚刚找了一下firefox cookie会话过期的资料,发现如下
This is apparently by design. Check out this Bugzilla bug:https://bugzilla.mozilla.org/show_bug.cgi?id=443354
Firefox has a feature where you close Firefox and it offers to save all your tabs, and then you restore the browser and those tabs come back. That's called session restore. What I didn't realize is that it'll also restore all the session cookies for those pages too! It treats it like you had never closed the browser.
This makes sense in the sense that if your browser crashed you get right back to where you were, but is a little disconcerting for web devs used to session cookies getting cleared. I've got some old session cookies from months ago that were set by sites I always have open in tabs.
To test this out, close all the tabs in your browser, then close the browser and restart it. I think the session cookies for your site should clear in that case. Otherwise you'd have to turn off session restore.
这是火狐的会话保存功能,FF设计就是如此。可以做这个close all the tabs in your browser, then close the browser and restart it测试,看看是否还保存着。
摘自 技术熊猫
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
