Brief analysis of PHP session principle

Why session control is needed ？（ answer ：http Protocol is stateless ）

The following text cannot be found , A long time ago, I copied a lot of mixed articles locally , Sorry for the original author

Everybody knows , The Internet application layer protocols we currently use are basically based on HTTP and HTTPS Of , Their ability is Stateless , Only responsible for requests and responses . We tell the server what we need , The server returns me the corresponding resources . If there is no additional treatment , The server doesn't know who you are , It's impossible to show you the content related to you according to who you are .

HTTP The initial stage of the agreement is for academic exchange , But now the Internet is more and more widely used , Forum 、 Shopping websites and so on need to record user status ,cookie、session、token emerge as the times require , Our article Combine only PHP speak session, Check the others by yourself

session working process

session working process It can be divided into the following steps ：

The browser requests the website for the first time , Server generation Session ID.
Generative Session ID Save to the server storage .
Generative Session ID Back to the browser , adopt set-cookie.
Browser received Session ID, This will be brought with you the next time you send a request Session ID.
The server received a message from the browser Session ID, from Session User status store found in store , Session creation .
Subsequent requests will exchange this Session ID, Have a stateful session .

Draw a flow chart

PHP Medium session

Let's see PHP How to create Session

<?php
//  start-up session
session_start();
//  Declare a admin The variable of , And assign a null value .
$_session["admin"] = null;
>

session_start()

start-up session, according to session ID open session file , If not, create a ID（ This Session ID Is a unique string generated by a series of algorithms ） And corresponding session file .
session_start() The function must precede the tag

$_SESSION

Storage and retrieval session Variable

The destruction session

unset()

unset() Used to release the specified session Variable , Just clear the value , And variables still exist

session_destroy()

Cancellation session, This is closing session, And delete the corresponding session The file . Cut off the connection between the client and the server .
session_destroy() Will reset session, You will lose all the stored session data .

session Penetration test

commonly session The penetration test passes the following three aspects , I don't know if it's all , Isn't it , Brothers can correct and add

1.session Session fixation test
   example ： Grab the bag and check the login twice session Is it worth the same
2.session Logout test
   example ： Log in and get session value , After logging out , carry session Value to make a request to the server , See if you can perform login operations
3.session Timeout tests
   example ： Whether to log out if the page is not operated for a long time session