Example analysis of implementation principle of Session and ID in PHP

In this paper, the implementation principle of Session and ID in PHP is described with examples. Share it for your reference, as follows:

Session works by creating a 1-only id (UID) for each visitor and storing variables based on this UID. UID is stored in cookie or conducted through URL.

The production algorithm of PHPSESSIONID is as follows:

hash_func = md5/sha1 # Configurable by php. ini

PHPSESSIONID = hash_func (Client IP + Current Time (Seconds) + Current Time (Subtle) + Random Number Producer with PHP)

From the above hash_func (*) data samples in the content analysis, multiple users in the same server when the production of PHPSESSIONID duplication probability is extremely low (at least 1 million parts), assuming, but a dynamic Web Server to 2000/rps has been very strong.

In addition, if a hacker wants to guess the PHPSESSIONID of a user, he must also know the data such as "client IP, current time (seconds, subtle), random number" before simulating.

php. ini is configured as follows:

; Select a hash function for use in generating session ids.
; Possible Values
;  0 (MD5 128 bits)
;  1 (SHA-1 160 bits)
; This option may also be set to the name of any hash function supported by
; the hash extension. A list of available hashes is returned by the hash_algos()
; function.
; http://php.net/session.hash-function
session.hash_function=0

Working principle of PHP session

The following is described as cookie transmission PHPSESSID.

1. The client requests a server address for php.

2. The server receives a request, and this time the session_start () is included in the php script.

3. The server generates an PHPSESSID. (The default storage mode of session is session.save_handler=files, which is stored in file form. The generated session file name rule is sess_PHPSESSID, and the session file exists in session.save_path.)

4. Server response header Response Headers: Set-Cookie: PHPSESSID=37vjjasgjdv2ouk1uomhgqkv50; path=/. Generate an cookie on the client side to save this PHPSESSID.

5. At this point, the client's cookie contains PHPSESSID, and then each request header of the client is Request Headers: Cookie: PHPSESSID=37vjjasgjdv2ouk1uomhgqkv50. Every time the server receives a request from the client, it can base on this

PHPSESSID to find the server session file, through the session file read and write operations that is to achieve the session super-global variable attributes.

If the client disables cookie, because PHPSESSID cannot be passed by cookie, the server will re-establish an session file every time the client requests it, and cannot reuse session file by PHPSESSID, so session will be invalid.

In this case, session.use_trans_sid can be set to transmit PHPSESSID. The difference between the specific implementation and cookie is that PHPSESSID is transmitted through GET of HTTP. The PHPSESSID parameter "url?" Will be completed in the address of each request.

PHPSESSID=37vjjasgjdv2ouk1uomhgqkv50 ".

"PHPcli mode uses session via session_id ()"

It can be used to get the PHPSESSID of the current session, or it can be used to set the PHPSESSID of the current session.

PHPcli mode can be set by this, to achieve the purpose of using session, very convenient.

For example:

<?php
// session_id('vingbrv8m64asth0nhplu9gmb7');
session_start();
$_SESSION[md5(rand(100,999))] = rand(100,999);
var_dump($_SESSION);

For more readers interested in PHP related content, please check the topics on this site: "Summary of php Cache Technology", "Encyclopedia of PHP Array (Array) Operation Skills", "Summary of php String (string) Usage", "Summary of PHP Error and Exception Handling Methods", "Introduction to php Object-Oriented Programming", "Introduction to php+mysql Database Operation" and "Summary of php Common Database Operation Skills"

I hope this article is helpful to everyone's PHP programming.