Geek Answers Handbook

A few questions about PHP sessions

I have some questions about php sessions:

  • Since the default value for session.gc_maxlifetime is 24 minutes , this means that any session file that is not changed within 24 minutes will be deleted and the session will expire automatically.

  • If I use session_destroy() in my code, the session will be canceled, but the session file itself will not be deleted until 24 minutes after the last change.

  • The only way to extend the session lifetime (more than 24 minutes) is to extend session.gc_maxlifetime to a larger value.

Is this all right or am I misunderstood something?

Also, if I save my sessions in a database (using session_set_save_handler() ), do all of these rules apply to them?

+7
source share
2 answers

  • Nearly. The file (session) will not be deleted immediately, which is determined by session.gc_probability and session.gc_divisor .

  • No, the session will expire, but deleting the session file is determined as indicated at the previous point

  • This rule is common, but if you must implement your own session handler, you can change the behavior of the session expiration even so that session.gc_maxlifetime is ignored

Saving a session in db should not change these rules, but can stretch them a bit if you want.

change

This is something like how you can register your own session handler (a handler that is a class) and then do whatever you want with it.

First, suppose we have a class that will handle sessions for our application.

 class MySession { function open($save_path, $session_name) { } function close() { } function read($id) { } function write($id, $sess_data) { } function destroy($id) { } function gc($maxlifetime) { } }

To register the handler in php, you only need to call the session_set_save_handler function, as in our case:

 // register the session handler $sess = new MySession(); session_set_save_handler(array($sess, 'open'), array($sess, 'close'), array($sess, 'read'), array($sess, 'write'), array($sess, 'destroy'), array($sess, 'gc'));

Note that there are actually better ways to register the handler itself, you can even do this in the constructor of your class or in several other ways. But I guess that is not the point here.

The important thing is that although PHP gives you the necessary variables that correspond to the standard behavior of the session management mechanism, you do not need to respect it (not that I recommend this).

To answer the comment below, to ignore the maxlifetime parameter, you ignore this in your gc method and use what you think is necessary / correct, for example (using the db pseudo-code):

 function gc($maxlifetime) { $sql = "DELETE * FROM MySession WHERE lastAccess < NOW()-3600"; // execute the query, say I have PDO instance in $dbh variable $dbh->execute($sql); }

Warrior, you just completely circumvented your PHP session settings by doing it yourself.

+5
source
  • Correctly, session.gc_maxlifetime will delete the session file after the session expires
  • session_destroy does not delete the session file
  • Yes, this is the only way. After you can turn off garbage collection by playing with session.gc_divider and make a script to create your own garbage collection, the Debian based distribution does this by default.

Saving a session in some database will not change these rules.

+1
source

More articles:


All Articles