Four answers to a strict 30 minute expired Session interview question set in PHP

Today, I sent a question on my Weibo:

When I interview, I often ask a question: "How to set up an Session that expires in 30 minutes?" , don't think it seems simple, it contains a lot of knowledge, especially suitable for examining whether the basic skills are solid, who will answer and try? Hehe

Why do you ask this question?

1. I saw someone talking about this on stackoverflow
2. Remembering that I often ask this question, so ~ ~

Here, let me answer this question.

The first answer

Then, the most common answer is to set the expiration time of Session, that is, session.gc_maxlifetime, which is incorrect for the following reasons:

1. First of all, this PHP runs gc of session with a fixed probability, that is, session.gc_probability and session.gc_divisor (see 1 Permission denied Notice solution encountered by Session for introduction). This default value is 1 and 100 respectively, that is, there is a 1% chance that PHP will run Session gc when an Session starts. There is no guarantee that 1 will expire by 30 minutes.

2. What about setting a high probability clean-up opportunity? Still wrong, why? Because PHP uses the modification time of the stat Session file to determine whether it is out of date, If you increase this probability by 1, it will degrade performance. 2, PHP uses a "1" file to save Session variables related to a session. If I set an Session variable with a=1 5 minutes ago and set an Seesion variable with b=2 5 minutes later, then the modification time of this Session file is the time when b was added, then a cannot be cleaned up in 30 minutes. There is also the third reason below.

3. The default for PHP (for example, Linux) is to use/tmp as the default storage directory for Session, which is also described in the manual as follows:

Note: If different scripts have different session.gc_maxlifetime values but share the same place to store session data, the script with the smallest value cleans up the data. In this case, this instruction is used with session. save_path 1.

That is to say, if two applications do not specify their own independent save_path, one has set the expiration time to 2 minutes (assuming A) and one has set it to 30 minutes (assuming B), then every time Session gc of A runs, Session files belonging to the application B will be deleted at the same time.

Therefore, the first answer is not "completely strict" and correct.

The second answer

Another common answer is to set the carrier of Session ID and the expiration time of Cookie, that is, session.cookie_lifetime. This answer is also incorrect for the following reasons:

This expiration is only Cookie expiration. To put it another way, we should examine the difference between Cookie and Session. Session expiration is the server expiration, while Cookie expiration is guaranteed by the client (browser). Even if you set Cookie expiration, this can only guarantee that when the standard browser expires, it will not send this Cookie (including Session ID), and if the request is constructed, it can still be used.

The third answer

Using memcache, redis, etc., okey, this answer is a correct answer. However, obviously, the questioner will definitely continue to ask you, what if you only use PHP?

The fourth answer

Of course, the interview is not for you, but for thoughtfulness. In the process, I will prompt these traps, so generally speaking, the way to meet the question is:

1. Set the Cookie expiration time to 30 minutes, and set the lifetime of Session to 30 minutes as well.

2. Add Time stamp for every Session value.

3. Before each visit, determine the timestamp.

Finally, some students asked, why should we set a 30-minute expiration time: this, first of all, this is for the interview, and second, in actual use scenarios, such as the discount that expires in 30 minutes?

thanks :)