PHP Study Notes session

cookie and session are two concepts that are easily confused by novice web developers. Understanding them will help to better understand web interaction. Personally, I think the differences between session and cookie are as follows:

cookie

The information is saved on the client

The client is responsible for the specific implementation

The size and quantity of data are generally limited

Data is easy to be stolen and tampered with

session

Data is stored on the server side

The server is responsible for the specific implementation

There is no limit to the size and quantity of data in principle

High security and strong credibility

In a narrow sense, session refers to session, id and associated data in an web session, while in a broad sense, session refers to an interactive session between two communication parties. For example, user login is an session interaction, and withdrawal at ATM machine is an session interaction, and so on.

Details of session

The primary function of session is to identify a session and save data during the session. Here are some details of session.

Access

PHP fetches and stores all the data in session through the $_ SESSION hyper-global variable. $_ SESSION is an array that can be easily assigned and read, for example:

$name = $_SESSION['NAME'];  //  Read session In name Value 
$_SESSION['NAME'] = 'new name';   //  Assign a new value 
unset($_SESSION['NAME']);     //  Remove session Value in 

Expired time

Data in the default session may be removed after session times out, depending on whether PHP runs garbage collection in time. Because the coefficient of PHP running garbage collection is the number of requests, the consequences are: 1. session data is not removed after the low-traffic site times out for a long time; 2. High traffic sites frequently carry out session garbage collection; 3. Run Garbage Collection Users who encounter running garbage collection may experience system latency before executing a user request. A better solution is to disable the default garbage collection for PHP and execute the session_gc function with the cron task timing. This not only ensures the timeliness of session, but also improves the performance and user experience.

Manual removal of data in session either removes a single data item with unset or brutally deletes all data with the session_destroy function.

Storage Media and Serialization

The data in session is saved on disk as a file by default. When session is opened, the contents of the file are read and deserialized, and then the $_SESSION array is populated. In a large traffic site, the directory where session files are stored will contain a large number of small files, which will cause a heavy IO burden on the file system.

The handler in the session module can specify how data is saved, such as in a database, redis/memcache and other media. The built-in handler of PHP includes files (default), redis, and memcache. Users can register their own handler through session_set_save_handler.

The data stored in session may be of basic types such as strings, or of complex types such as arrays and objects. serialize_handler in session setting is used to set handler for serialization and deserialization. After hanlder serializes data, it is saved in save_handler. Serialization shows that types such as resource cannot and should not be saved in session. The idea of saving an db connection handle to session and then taking it out after 10 minutes should be discarded as soon as possible.

session Setting Name

Because http is a stateless protocol, the client needs to carry session id when requesting it, so that the server can distinguish session. The default name to identify session id is PHPSESSID, and other names can be set using session_name. For example, to prevent an attacker from guessing that the back end is a system with PHP language, you can confuse the attacker by setting the name of session id to JSESSIONID.

session Auto Start

At present, the mainstream PHP version will not automatically turn on session by default. For example, a visitor just looks at the next page and leaves. If session is automatically turned on, session id will be sent to the client after a series of initialization operations, so that the user can be identified during the next visit. For one-time visitors or non-system logged-in users, these operations will only bring extra overhead.

The disadvantage that session does not turn on automatically is that before using session, make sure that session is turned on, otherwise you may get empty data. If you rename the default session name, you need to call session_name before session_start to indicate the current session name.

Distributed session

For large traffic sites, there is often more than one PHP server providing services at the back end. If the user's multiple requests do not fall on the same server and the server's session data is not shared, the user may be required to log in repeatedly. The solution to this problem can be done either in the front-end request distribution or in the back-end by setting up a distributed shared session.

In a system where session data is stored in file form, a directory can be specified as a shared directory, and session of all servers is stored in this directory; In the system where session is stored in redis/memcache/db, session can be shared by connecting to the same session server. In the session shared system, the front-end load balancer can distribute requests to any server at will.