|
Home >> FAQs/Tutorials >> PHP Script Tutorials and Tips >> Index
PHP Script Tips - Understanding and Using Sessions
By: FYICenter.com
Part:
1
2
3
4
5
(Continued from previous part...)
Another way to confirm that your PHP engine is using URL parameters
to transfer session IDs is to look at the address field of your browser, it will
show something like:
http://localhost/next_page.php?PHPSESSID=meml483hk4dvm1n2ii8k9hvjj1
How To Force the PHP Engine to Use Cookies to Transfer Session IDs?
If you want to force your PHP engine to use cookies to transfer session IDs instead of URL parameters,
you can open the PHP configuration file, php.ini, and make the following changes:
session.use_cookies = 1
session.use_only_cookies = 1
Now re-run the first_page.php and next_page.php scripts presented in the previous tutorials.
You will get something like:
Query string of the incoming URL:
Cookies received:
PHPSESSID = r66hq1bcg8o79e5i5gd52p26g3
Value of MyLogin has been retrieved: FYICenter
Value of MyColor has been retrieved: Blue
Base on the output, your PHP engine is using cookies to transfer
session IDs now, because you can see the cookie named as PHPSESSID contains the session ID,
there is no URL parameters related to session ID.
Is It More Secure to Use Cookies to Transfer Session IDs?
Is it more secure to use cookies to transfer session IDs? The answer is yes, because
attacking your Web site using URL parameters is much easier than using cookies.
So if you are the system administrator of your Web server, you should set session.use_only_cookies=1.
If your Web server is provided by a hosting service provider, ask them to set session.use_only_cookies=1.
Where Are the Session Values Stored?
When a value is saved into the current session by one PHP page, the PHP engine must stored this value
somewhere on Web server, so that the PHP engine can retrieve it back when same visitor comes back to request
another PHP page.
Where are the session values stored on the Web server? The answer depends on the setting named,
session.save_path, in the PHP engine configuration file. If session.save_path = "/temp",
session values will be stored in special files, one file per session, in the /temp directory on the Web server.
If you re-run the first_page.php and next_page.php scripts presented in the previous tutorials,
you can find a special file named like: \temp\sess_r66hq1bcg8o79e5i5gd52p26g3. If you open this file,
you will see:
MyLogin|s:9:"FYICenter";MyColor|s:4:"Blue";
Now you know that session values are stored on the Web server as text files,
and values are formatted with value names and lengths.
What Is the Timeout Period on Session Values?
The PHP engine has no direct settings on session timeout period. But it has a session garbage
collection mechanism that you can set to remove those special files containing session values.
There are 3 settings you can use to define the session garbage collection mechanism:
session.gc_probability = 1
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
The first two settings tell the PHP engine to run the garbage collection process once every
1000 requests received by the Web server. The last setting tells the PHP engine to treat session
values as garbage 1440 seconds after they have not been used.
Putting all settings together, your session values probably be removed 1440 seconds
after the visitor stopping using your Web site. The probability of this removal is one over
1000 requests received after the 1440-second period.
In another word, if visitor John stopped using your site, and there is no other visitors
coming to your site, session values created for John will never be removed. However, if you
have a busy site, like 1000 requests per minute, John's session values will be removed about
one minute plus 1440 seconds after John stopped using the site.
How To Test the Session Garbage Collection Process?
In order to test the session garbage collection process, you need to change the settings
to expire session variables in 10 seconds and run the process on every request:
session.gc_probability = 1
session.gc_divisor = 1
session.gc_maxlifetime = 10
(Continued on next part...)
Part:
1
2
3
4
5
|