How to maintain SESSION in PHP and some thoughts caused by it. A recent project contained a relatively large form. It took a lot of time for users to complete it. After many users spent a lot of hard work to complete it, they discovered the SESSION as soon as they submitted it. It expired and the system exited, so it became necessary to study how to set up SESSION and keep SESSION online. Here are some insights.
What is SESSION?
According to the WIKI explanation, SESSION is the interactive information that exists between two communication devices. It is established at a certain time and expires after a certain period of time. Common SESSIONs include: TCP SESSION, WEB SESSION (HTTP SESSION), LOGIN SESSION, etc.
According to the different positions of session implementation in the OSI model, SESSION is mainly divided into several types. One is the application layer session, including WEB SESSION (HTTP SESSION) and telnet remote login session; the session layer implementation includes Session Initiation Protocol (SIP) and Internet Phone Call; TCP SESSION is implemented at the transport layer.
This article mainly discusses WEB SESSION. There are generally two types: Client-side SESSION and Server-side SESSION. The latter is most commonly provided by Java Beans.
What does SESSION do?
In the computer field, especially in the network, SESSION is particularly widely used. It can also be called a dialogue (Dialogue), session, etc. It generally refers to the state stored between two communication devices. Sometimes it also occurs between the user and the computer (Login SESSION).
Different from stateless communication, SESSION is usually used to store communication status. Therefore, at least one of the two communicating parties needs to store the history of SESSION to achieve communication between the two.
How is SESSION (WEB SESSION) implemented?
When HTTP communication is carried out between the browser and the server, an HTTP Cookie is usually included to identify the status. There is usually a unique SESSIONID. SESSION usually records some verification information and levels of the user.
The most commonly used Http Session Tokens in several programming languages are, JSESSIONID (JSP), PHPSESSID (PHP), ASPSESSIONID (ASP). This identifier is usually generated by a hash function and can uniquely represent this user. The identity is stored on the client as a GET or POST parameter when the server communicates with the client.
There are usually two ways to implement SESSION, server-side SESSION and client-side SESSION. Both methods have their own advantages and disadvantages.
Server-side SESSION is easy to implement and relatively efficient, but it is more difficult to handle when encountering load balancing or high availability requirements. It is also unavailable when there is no storage device in the endogenous system. Load balancing can be achieved by sharing file systems or forcing customers to log in to only one server, but this will reduce efficiency. For devices without storage, server-side SESSION implementation can also be solved by using RAM (see Reference 6). This method is effective for systems with limited client connections (such as routing or access point devices).
The use of client-side SESSION can solve some problems of server-side SESSION, such as avoiding load balancing algorithms, etc., but it will also cause some problems of its own. Client SESSION uses cookies and encryption technology to save state between different requests. After each dynamic page ends, the current SESSION will be counted and sent back to the client. After each successful request, the cookie will be sent to the server to let the server "remember" the user's identity. The most important issue with client SESSION is security. Once the cookie is hijacked or tampered with, the security of the user's information will be lost.
How to set SESSION in PHP?
After setting up the PHP development environment, you can view the SESSION-related parts through phpinfo() including:
SESSION module, in PHP V5.2.9 version, there are a total of 25 variables . Among them, a few that are often used in daily settings are:
The expiration of SESSION relies on a garbage collection mechanism (Garbage Collection). After SESSION is created, it is stored as a file on the server. Every time the client script accesses the variables in SESSION, the access time of the SESSION file will be updated. Each visit requests the unique SESSION stored in the server based on the SESSIONID stored on the client. When the client's cookie expires, it is impossible to know which SESSION to access, although the SESSION file on the server has not yet been accessed. Recycling after expiration will cause a waste of server resources.
But at the same time, if we want the user's session to expire immediately, we can achieve this by setting cookies. SESSION recycling is performed every time the page is accessed. The probability of recycling is specified by session.gc_probability, session_gc_divisor, and the default is ±1/100. If set to 1, every time the SESSION is accessed beyond its lifetime, the SESSION will be recycled.
Two requirements:
1. Keep the SESSION from expiring or extend the SESSION expiration time;
2. Make the SESSION expire immediately.
1. It is very necessary to keep the SESSION from expiring and extend the SESSION expiration time, especially in internal application systems or when there are large forms. Think about your boss filling out a form, and it happened to be lunch time. He kept the form and waited until he came back from lunch. After filling in the remaining content, what he saw after submission was generally a login interface. If we want to improve the user experience, the key is to prevent the boss's form from causing problems. We must extend the life cycle of SESSION.
Keeping the SESSION from expiring and extending the SESSION expiration time can be achieved by setting session.gc_maxlifetime. However, you first need to ensure that the client's cookie will not expire before the gc executes recycling. By setting a longer gc_maxlifetime, the session lifetime can be extended. However, for applications where not all requests will be kept for a long time, this is obviously not the best choice for server configuration.
We know that the recycling mechanism of SESSION is judged based on the last access time of the SESSION file. If it exceeds maxlifetime, it will be recycled according to the recycling probability. So we only need to visit SESSION regularly, and this can be achieved by refreshing the page. According to this idea, there is a solution.
Use JS to access the page regularly;
Use Iframe to refresh the page regularly;
Use the program directly to send HTTP requests, so that you can avoid embedding other elements in the page;
The following is an implementation method that uses JS to send requests to keep the SESSION from expiring, so that we only need to keep the SESSION for a long time on pages (such as large form pages).
2. There are many ways to make SESSION expire immediately. We can use session_destroy(), or we can use the above idea to request a session_destroy page.
Is SESSION safe?
The PHP manual clearly states: SESSION does not guarantee that the information stored in SESSION can only be seen by its creator.
If you want to handle some remote operations securely, HTTPS is the only choice. The most basic thing is, don't think that just because a user's information exists in SESSION, it means that the user must be him/herself, although the information in SESSION will give you the illusion that he has been verified by user name and password. Therefore, if you need to change the password or similar things, asking the user to re-enter the password is a better choice.
Early Apache versions did not use COOKIE to store PHPSESSID, but used URL-rewrite, that is, PHPSESSID=
Supplements:
Methods that can be used if the client does not support JavaScript:
1. Write a floating layer and display it on the top level , if the user does not disable JS, let the floating layer disappear;
2. Set all INPUT to disable, and then use JS to set it to enabled;
The above two methods are both in JS When it is disabled, all functions are unavailable. How to make our application still work normally when JS is disabled seems to be more difficult. You have to weigh the time it takes to achieve this and the results you get.