如何在 PHP 中更改会话超时? [英] How to change the session timeout in PHP?
问题描述
我想在 php 中延长会话超时时间
I would like to extend the session timeout in php
我知道可以通过修改 php.ini 文件来实现.但我无权访问它.
I know that it is possible to do so by modifying the php.ini file. But I don't have access to it.
那么可以只用php代码来做吗?
So is it possible to do it only with php code?
推荐答案
会话超时是一个必须在代码中实现的概念,如果你想要严格的保证;这是唯一的方法您可以绝对确定在 X 分钟不活动后任何会话都不会存活.
Session timeout is a notion that has to be implemented in code if you want strict guarantees; that's the only way you can be absolutely certain that no session ever will survive after X minutes of inactivity.
如果稍微放宽这个要求是可以接受的,并且您可以设置下限而不是对持续时间的严格限制,那么您可以轻松做到这一点,而无需编写自定义逻辑.
If relaxing this requirement a little is acceptable and you are fine with placing a lower bound instead of a strict limit to the duration, you can do so easily and without writing custom logic.
如果您的会话是使用 cookie(它们可能是)实现的,并且如果客户端不是恶意的,您可以通过以下方式设置会话持续时间的上限调整某些参数.如果您使用 PHP 的默认会话处理 cookie,请设置 session.gc_maxlifetime 以及 session_set_cookie_params 应该像这样为你工作:
If your sessions are implemented with cookies (which they probably are), and if the clients are not malicious, you can set an upper bound on the session duration by tweaking certain parameters. If you are using PHP's default session handling with cookies, setting session.gc_maxlifetime along with session_set_cookie_params should work for you like this:
// server should keep session data for AT LEAST 1 hour
ini_set('session.gc_maxlifetime', 3600);
// each client should remember their session id for EXACTLY 1 hour
session_set_cookie_params(3600);
session_start(); // ready to go!
这是通过配置服务器将会话数据保留至少一小时不活动并指示您的客户他们应该忘记"相同时间跨度后的会话 ID.这两个步骤都是达到预期结果所必需的.
This works by configuring the server to keep session data around for at least one hour of inactivity and instructing your clients that they should "forget" their session id after the same time span. Both of these steps are required to achieve the expected result.
如果您在一小时后不告诉客户端忘记他们的会话 ID(或者如果客户端是恶意的并选择忽略您的指令),他们将继续使用相同的会话 ID,其有效持续时间将为非确定性的.那是因为在服务器端已经过期的会话不会立即被垃圾收集,而只是 每当会话 GC 开始时.
GC 是一个潜在的昂贵过程,因此通常概率相当小甚至为零(获得大量点击的网站可能会完全放弃概率 GC 并安排它每 X 分钟在后台发生一次).在这两种情况下(假设非合作客户端),有效会话生命周期的下限都是 session.gc_maxlifetime,但上限是不可预测的.
GC is a potentially expensive process, so typically the probability is rather small or even zero (a website getting huge numbers of hits will probably forgo probabilistic GC entirely and schedule it to happen in the background every X minutes). In both cases (assuming non-cooperating clients) the lower bound for effective session lifetimes will be session.gc_maxlifetime, but the upper bound will be unpredictable.
如果您没有将 session.gc_maxlifetime 设置为相同的时间跨度,那么服务器可能会在此之前丢弃空闲会话数据;在这种情况下,仍然记得其会话 ID 的客户端将显示它,但服务器将找不到与该会话相关的数据,有效地表现得好像会话刚刚开始一样.
If you don't set session.gc_maxlifetime to the same time span then the server might discard idle session data earlier than that; in this case, a client that still remembers their session id will present it but the server will find no data associated with that session, effectively behaving as if the session had just started.
您可以通过使用自定义逻辑为会话不活动设置一个上限,从而使事情完全可控;加上上面的下限,这导致了严格的设置.
You can make things completely controllable by using custom logic to also place an upper bound on session inactivity; together with the lower bound from above this results in a strict setting.
通过将上限与会话数据的其余部分一起保存来做到这一点:
Do this by saving the upper bound together with the rest of the session data:
session_start(); // ready to go!
$now = time();
if (isset($_SESSION['discard_after']) && $now > $_SESSION['discard_after']) {
// this session has worn out its welcome; kill it and start a brand new one
session_unset();
session_destroy();
session_start();
}
// either new or old, it should live at most for another hour
$_SESSION['discard_after'] = $now + 3600;
会话 ID 持久化
到目前为止,我们根本没有关心每个会话 id 的确切值,只关心数据应该在我们需要的时候存在的要求.请注意,在会话 ID 对您很重要(不太可能)的情况下,必须注意在需要时使用 session_regenerate_id 重新生成它们.
这篇关于如何在 PHP 中更改会话超时?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
