Help me see if I'm correctly understanding how sessions work in PHP
- Session ID is stored on the client in a way that usually dissipates when the browser is closed (stored as a cookie?).
- Session ID and associated data is stored on the server (where?) for each client that starts one.
The main thing I wonder about is how the s开发者_开发问答erver knows when a session has ended, though. If the client no longer has the session ID stored (say, after closing their browser) and they try to ask the server for another session, it starts a new session. Does the server know to garbage collect the previous session data after some set amount of time? It seems to me like something that could be abused...
- Session ID is usually stored on client browser using a cookie (alternatively, in URL parameters, but this is not recommended, as explained in http://php.net/manual/en/session.security.php)
- Sessions are stored in the directory defined by
session.save_path
(e.g./var/lib/php/sessions
), or the system's temporary directory if this is not set (usually/tmp
).
Sessions are garbage collected periodically, either by PHP itself during a request, or by a cron job (e.g. on Debian this is the default). See http://php.net/manual/en/session.configuration.php#ini.session.gc-probability
The main thing I wonder about is how the server knows when a session has ended
He doesn't know. However he knows when a session has not been used since a certain period of time, so it can delete unused sessions.
Does the server know to garbage collect the previous session data after some set amount of time?
Yes. This is defined by the session.gc_maxlifetime
ini setting. Any session older than that will be deleted during a garbage collect. Garbage collect frequency can be tuned with the session.gc_probability
and session.gc_divisor
ini settings. (See doc.)
It seems to me like something that could be abused.
If you mean that someone may be able to create too many staled sessions on the server; yes this is probably true.
what you describe is perfectly right. And yes, it can be abused easily. There's even a tool out that automatically hijacks sessions around you (search for firesheep
). The sessions are usually stored as either SESSION cookies or are passed between sever and client each time.
Check the PHP for a very brief intro, and some google on session and security will get you further.
Sessions expire automatically and are cleared up depending on the settings (after 20 days of no usage for example) and they are stored on linux, usually under /tmp/
Check php.ini for more information
精彩评论