PHP How to maintain the SESSION and the consequent Some Thoughts

Posted under Article Cache & Storage Featured Web Servers on Saturday, 26 March 2011 by jack

A recent project, which has a relatively large form, it requires users to complete a lot of time, many users have spent untold hardships after the completion of a submission was found SESSION expired, the system quit, it has led the research, as well as how to set SESSION the need to maintain SESSION online, here are some of their feelings and experiences.

What is a SESSION?

In accordance with WIKI explained, SESSION exist in the interaction between the two telecommunications equipment information, at a time to build, after a certain lapse of time. SESSION common are: TCP SESSION, WEB SESSION (HTTP SESSION), LOGIN SESSION so.

According to OSI model, the session to achieve different positions, SESSION is divided into several, one is the application layer session, including the WEB SESSION (HTTP SESSION) and the telnet remote login session; the session layer, including the Session Initiation Protocol (SIP) and Internet Phone Call; in the transport layer are TCP SESSION.
This article focuses on WEB SESSION, its general there are two kinds: client SESSION and server-side SESSION, the latter part of the most common Java Beans provide.

SESSION are doing what?

In the computer field, especially in networks, SESSION extensive use of the special can also be referred to as a dialogue (Dialogue), conversation and so on, generally refers to the two communication devices stored in the state, and sometimes also occurred between the user and the computer (Login SESSION).

Distinguished from non-state communication, SESSION is usually used to store the communication state, so at least one communication between the parties need to store SESSION history in order to achieve communication between the two.

SESSION (WEB SESSION) is how to achieve it?

Between the browser and server HTTP communication usually contains an HTTP Cookie to identify the state, usually a unique SESSIONID, SESSION is usually a record of some of the user authentication information and level.
In several of the most commonly used programming languages Http Session Token Shi, JSESSIONID (JSP), PHPSESSID (PHP), ASPSESSIONID (ASP), the logo is usually generated by the hash function can only express the user’s identity, in the server and the client communications, as a GET or POST parameters are stored in the client.

SESSION way to achieve there are usually two, server-side SESSION and client SESSION, two methods have advantages and disadvantages.

Server-side SESSION easy implementation and more efficient, but the encounter load balancing or high availability requirements when dealing with them is more difficult, for life-support systems that do not exist within the storage device, when is not available. Load balancing can be forced through a shared file system, or customers can log on to a server up to achieve, but this would reduce efficiency. For there is no storage device can also be through the use of RAM (refer to reference 6) to solve the server-side SESSION implementation, this approach which links on which the client with limited system effectively (such as routing or access point equipment).

SESSION client using server-side SESSION can solve some problems, such as to avoid load balancing algorithms, but it will also produce some of their own problems. SESSION client Cookie and encryption technology to the use of different inter-request state of preservation. Dynamic pages in each one after the end of the statistics of the current SESSION, and bring it back to the client. Each successful request, the cookie will be sent to the server side, to allow servers to “remember” the user’s identity. Client SESSION of the most important issue is security issues, once the cookie has been hijacked or tampered with, and the security of user information on the lost.

PHP How to set SESSION?

Good PHP development environment built upon, through the phpinfo () can see the relevant parts with the SESSION include:
SESSION module, the PHP V5.2.9 release, a total of 25 variables. Among them, usually setting Central Committee used a few are:
session.cookie_lifetime setting the cookie expiration time is stored SESSIONID
session.name SESSION of the COOKIE name, the default is PHPSESSID
session.save_handler SESSION storage mode defaults to FILE
session.save_path Fedora default, the following are stored in / var / lib / php / session
session.gc_probability
session.gc_divisor
session.gc_maxlifetime three options for dealing with the mechanism to occur GC
session.cache_limiter (nocache, private, private_no_expire, public)
session.cache_expire these two options is used to cache pages SESSION

Let’s consider the first question, SESSION how long will expire, how he expired? If you want to program in PHP using SESSION, we must first reference session_start (), this function is an implementation of’ll SESSION storage directory (if you use the file handler) to generate a SESSION file, which content is empty, while the browser meeting where a name for the PHPSESSID the cookie, which stores a hash out of the SESSION name.

SESSION expired rely on a garbage collection mechanism (Garbage Collection), SESSION is created as a file stored on the server, client-side script for each visit to a SESSION variable, SESSION file access time will be updated. Each visit are based on the client requests the server to store SESSIONID stored only SESSION, when the client-side cookie expires, you can not know which one to visit SESSION, although this time on the server SESSION documents had not been is expired back, this will result in a waste of server resources.

But at the same time, if we want the user’s session expired immediately, then we can by setting the cookie approach to the realization. SESSION recovery is carried out each time the page is accessed, the chances of recovery from session.gc_probability, session_gc_divisor specified, the default ± 1 / 100. If set to 1, then each time over the life cycle of the SESSION to visit, then, SESSION will be recycled.

Two kinds of requirements: one, maintain SESSION, but the expiration time period or to extend the SESSION; 2, so that SESSION immediately expired.

1, maintaining SESSION But SESSION expiration period and the extension of time is necessary, especially during the internal application systems or have a great time to form. Think about your boss fill out a form, just hit lunch time, dinner, etc. Retention of this form back, filling out the remaining contents, after the submission of what he saw, in general, is a login screen. Want to improve the user experience, the key is to let the boss forms no problem, we must extend the life cycle SESSION.

SESSION However, to maintain and extend SESSION expiration time period, you can by setting session.gc_maxlifetime to achieve, but first need to ensure that the client’s cookie will not expire before the implementation of the recovery in the gc. By setting a longer gc_maxlifetime can be achieved to extend the session’s life cycle, but not all requests will be maintained for a long time applications, doing so for the server configuration is obviously not a best option.

We know SESSION recovery mechanism is based on SESSION file to determine the final access time, and if more than maxlifetime, then according to probability of recovery for recycling. Therefore, we only need to visit a regular basis you can look SESSION, while this can be achieved by refreshing the page, according to this idea, the solution will have a.
    By JS on a regular basis to access the page;
    Refresh the page using Iframe on a regular basis;
    Directly use the program to send HTTP requests, so avoid the other embedded in the page elements;

The following is to use JS to send the request to maintain the SESSION, but a view to achieve the realization of methods, so we need only need to maintain a long SESSION pages (such as major forms page).

After the URL of which include a random number in order to avoid this link request is the browser cache.

2, so that the method SESSION immediately expire relatively more, we can session_destroy (), the above ideas can also be used to request a session_destroy page.

SESSION safe?

PHP manual explicitly write: SESSION does not guarantee that the information stored in the SESSION certainly can only be seen by those who created him.

If you want to deal with the safety of long-range operations, then the HTTPS is the only option. The most basic, do not think that a user information exist in the SESSION that the user necessarily on his own, although the SESSION will give you the information that he has gone through a user name and password authentication illusion. So, if you need to do some modification passwords or similar things, let the user to re-enter the password is a better choice.

The early Apache version did not use COOKIE way to store the PHPSESSID, but the method of URL-rewrite, that is, after each URL will be added PHPSESSID = <sessionid> to indicate that it belongs to that activated SESSION, a new version of Apache has This property is set to off by default.
session.use_trans_id = 0;

So, from this sense, extend SESSION too long or keep SESSION has been online for security is still not a good thing. The ultimate solution is to jump to the user submits the login window, log on later able to return to fill the page, and all the data are still. The way to achieve now using Ajax to solve should be no difficulty at regular intervals put the current user data POST to a storage location, whether it is XML or JSON.

Supplements:

For the client does not support JavaScript, the situation can be used approach:

1, write a floating layer, is displayed in the top level, if the user does not disable the JS, letting the floating layer disappeared;

2, all of the INPUT is set to disable, and then re-use JS is set to enabled;

The above two methods are JS is disabled, when not all the features can be used, how the case JS is disabled so that our application is still working, this looks like on the more difficult. To achieve this in the time spent and have the effect we should weigh.