PHP 中的会话超时:最佳实践 [英] Session timeouts in PHP: best practices

问题描述

session.gc_maxlifetime 和 session_cache_expire() 之间的实际区别是什么?

What is the actual difference between session.gc_maxlifetime and session_cache_expire() ?

假设我希望用户会话在 15 分钟非活动(而不是首次打开后 15 分钟)后无效.其中哪一项会帮助我?

Suppose I want the users session to be invalid after 15 minutes of non-activity (and not 15 after it was first opened). Which one of these will help me there?

我也知道我可以做 session_set_cookie_params() 它可以将用户的 cookie 设置为在一段时间内过期.但是，cookie的过期时间和服务端的实际会话过期时间是不一样的；当 cookie 过期时，这是否也会删除会话?

I also know I can do session_set_cookie_params() which can set the user's cookie to expire in some amount of time. However, the cookie expiring and the actual session expiring on the server side are not the same; does this also delete the session when the cookie has expired?

我的另一个解决方案很简单$_SESSION['last_time'] = time()在每个请求上，并将会话与当前时间进行比较，然后根据该时间删除会话.不过，我希望有一种更内置"的机制来处理这个问题.

Another solution I have though of is simple $_SESSION['last_time'] = time() on every request, and comparing the session to the current time, deleting the session based on that. I was hoping there was a more "built-in" mechanism for handling this though.

谢谢.

推荐答案

每次 session_start 被称为会话文件时间戳(如果存在)被更新，用于计算是否超过 session.gc_maxlifetime.

Each time session_start is called the session files timestamp (if it exists) gets updated, which is used to calculated if session.gc_maxlifetime has been exceeded.

更重要的是，在超过 session.gc_maxlifetime 时间后，您不能依赖会话过期.

More importantly you can't depend on a session to expire after session.gc_maxlifetime time has been exceeded.

PHP 在加载当前会话后使用 session.gc_probability 和 session.gc_divisor 它计算垃圾收集运行的概率.默认情况下，它的概率为 1%.

PHP runs garbage collection on expired sessions after the current session is loaded and by using session.gc_probability and session.gc_divisor it calculates the probability that garbage collection will run. By default its a 1% probability.

如果您的访问者数量较少，则不活动的用户可能会访问本应已过期并被删除的会话.如果这对您很重要，您将需要在会话中存储时间戳并计算用户处于非活动状态的日志.

If you have a low number of visitors there is a probability that an inactive user could access a session that should have expired and been deleted. If this is important to you will need to store a timestamp in the session and calculate how log a user has been inactive.

此示例替换了 session_start 并强制执行超时:

This example replaces session_start and enforces a timeout:

function my_session_start($timeout = 1440) {
    ini_set('session.gc_maxlifetime', $timeout);
    session_start();

    if (isset($_SESSION['timeout_idle']) && $_SESSION['timeout_idle'] < time()) {
        session_destroy();
        session_start();
        session_regenerate_id();
        $_SESSION = array();
    }

    $_SESSION['timeout_idle'] = time() + $timeout;
}

这篇关于PHP 中的会话超时:最佳实践的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！