Skip to main content

Few questions about PHP sessions


I have a few a few question about php sessions:





  1. Since the default value for session.gc_maxlifetime is 24 mins then that means any session file that isn't modified for 24 mins will be deleted and the session will expire automatically.







  1. If I use session_destroy() in my code the session will be unset, but the session file itself won't be deleted until 24 mins passes since it was last modified.





  2. The only way to extend the session's life time (more than 24 mins) is to extend session.gc_maxlifetime to a bigger value.





Are all these correct or did I get something wrong about it?



Also if I store my sessions in a database (using session_set_save_handler() ) will all these rules apply to them ?


Source: Tips4allCCNA FINAL EXAM

Comments

  1. Almost. The file (session) will not be deleted immediately, that is determined by session.gc_probability and session.gc_divisor.
    No, the session will be expired, but the deletion of the session file is determined as stated in previous point
    That is correct ordinarily, but if you were to implement your own session handler, you could alter the behavior of session expiration even in such a way that session.gc_maxlifetime is ignored


    Storing session in db should not alter those rules, but could stretch them a little, if you wanted to.

    edit:

    This is roughly how you can register your own session handler (handler being a class) and then do whatever you want with it

    First, suppose we have a class, that is going to be handling sessions for our application.

    class MySession {
    function open($save_path, $session_name) {
    }

    function close() {
    }

    function read($id) {
    }

    function write($id, $sess_data) {
    }

    function destroy($id) {
    }

    function gc($maxlifetime) {
    }
    }


    To register the handler in php, you only need to call session_set_save_handler function, like this in our case:

    // register the session handler
    $sess = new MySession();
    session_set_save_handler(array($sess, 'open'),
    array($sess, 'close'),
    array($sess, 'read'),
    array($sess, 'write'),
    array($sess, 'destroy'),
    array($sess, 'gc'));


    Note that there are actually better ways to register the handler itself, you could even do this in the constructor of your class, or in numerous other ways. But I assume that is not the point here.

    What is important is the fact that although PHP gives you the needed variables corresponding to standard behavior of it's session management mechanism, you don't have to respect it (not that I would recommend that).

    To answer a comment below, to ignore the maxlifetime parameter, you ignore that in your gc method and use whatever you deem necessary/right, for example (using db pseudo code):

    function gc($maxlifetime) {
    $sql = "DELETE * FROM MySession WHERE lastAccess < NOW()-3600";
    // execute the query, say I have PDO instance in $dbh variable
    $dbh->execute($sql);
    }


    Voila, you just completely circumvented PHP session settings by doing it by yourself.

    ReplyDelete
  2. Correct, session.gc_maxlifetime will delete session file when the session expires
    session_destroy doesn't delete the session file
    yes, this the only way. After you can disable the garbage collection playing with the session.gc_divider and make a script to make your own garbage collection, Debian based distro actually does that by default.


    Storing the session in some database won't change those rules.

    ReplyDelete

Post a Comment

Popular posts from this blog

Wildcards in a hosts file

I want to setup my local development machine so that any requests for *.local are redirected to localhost . The idea is that as I develop multiple sites, I can just add vhosts to Apache called site1.local , site2.local etc, and have them all resolve to localhost , while Apache serves a different site accordingly.