如何在PHP中更改会话超时

如何在PHP中更改会话超时

本文介绍了如何在PHP中更改会话超时?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我想延长php中的会话超时时间

I would like to extend the session timeout in php

我知道可以通过修改php.ini文件来实现.但我无权访问.

I know that it is possible to do so by modifying the php.ini file.But I don't have access to it.

那么有可能仅使用php代码吗?

So is it possible to do it only with php code?

推荐答案

会话超时是一个概念,如果要严格保证,必须在代码中实现;这是唯一的方法,您可以绝对确定X分钟不活动后,任何会话都无法幸存.

Session timeout is a notion that has to be implemented in code if you want strict guarantees; that's the only way you can be absolutely certain that no session ever will survive after X minutes of inactivity.

如果稍微放松一下此要求是可以接受的,并且可以放置下界而不是对持续时间进行严格限制,那么您可以轻松地做到这一点,而无需编写自定义逻辑.

If relaxing this requirement a little is acceptable and you are fine with placing a lower bound instead of a strict limit to the duration, you can do so easily and without writing custom logic.

如果您的会话是使用Cookie(可能是cookie)实现的,并且如果客户端不是恶意的,则可以通过以下方式设置会话持续时间的上限:调整某些参数.如果您使用PHP的默认cookie处理会话,请设置 session.gc_maxlifetime 以及 session_set_cookie_params 应该对您有用:

If your sessions are implemented with cookies (which they probably are), and if the clients are not malicious, you can set an upper bound on the session duration by tweaking certain parameters. If you are using PHP's default session handling with cookies, setting session.gc_maxlifetime along with session_set_cookie_params should work for you like this:

// server should keep session data for AT LEAST 1 hour
ini_set('session.gc_maxlifetime', 3600);

// each client should remember their session id for EXACTLY 1 hour
session_set_cookie_params(3600);

session_start(); // ready to go!

这可以通过配置服务器以使会话数据保持至少一小时的不活动状态,并指示您的客户端在同一时间段后忘记"其会话ID来工作. 这两个步骤都必须达到预期的结果.

This works by configuring the server to keep session data around for at least one hour of inactivity and instructing your clients that they should "forget" their session id after the same time span. Both of these steps are required to achieve the expected result.

  • 如果您不告诉客户一个小时后忘记他们的会话ID(或者如果客户是恶意的并且选择忽略您的指令),他们将继续使用相同的会话ID,其有效期限为不确定的.这是因为没有在服务器端终止其生存期已过期的会话,而是仅.

GC是一个潜在的昂贵过程,因此通常概率很小或什至为零(获得大量点击的网站可能会完全放弃概率性GC,并每隔X分钟将其安排在后台进行).在这两种情况下(假定不合作的客户端),有效会话生存期的下限将为session.gc_maxlifetime,但上限将是不可预测的.

GC is a potentially expensive process, so typically the probability is rather small or even zero (a website getting huge numbers of hits will probably forgo probabilistic GC entirely and schedule it to happen in the background every X minutes). In both cases (assuming non-cooperating clients) the lower bound for effective session lifetimes will be session.gc_maxlifetime, but the upper bound will be unpredictable.

如果您未将session.gc_maxlifetime设置为相同的时间跨度,则服务器可能会比之前更早地丢弃空闲会话数据;在这种情况下,仍会记住其会话ID的客户端将显示该ID,但服务器将找不到与该会话相关的数据,从而有效地表现出该会话刚刚开始.

If you don't set session.gc_maxlifetime to the same time span then the server might discard idle session data earlier than that; in this case, a client that still remembers their session id will present it but the server will find no data associated with that session, effectively behaving as if the session had just started.

通过使用自定义逻辑对会话不活动设置上限,可以使事情完全可控;再加上上方的下限,将导致严格的设置.

You can make things completely controllable by using custom logic to also place an upper bound on session inactivity; together with the lower bound from above this results in a strict setting.

通过将上限与其他会话数据一起保存来完成此操作:

Do this by saving the upper bound together with the rest of the session data:

session_start(); // ready to go!

$now = time();
if (isset($_SESSION['discard_after']) && $now > $_SESSION['discard_after']) {
    // this session has worn out its welcome; kill it and start a brand new one
    session_unset();
    session_destroy();
    session_start();
}

// either new or old, it should live at most for another hour
$_SESSION['discard_after'] = $now + 3600;

会话ID持久性

到目前为止,我们根本不关心每个会话ID的确切值,只关心只要我们需要它们就应该存在数据.请注意,在(不太可能)会话ID对您很重要的情况下,必须注意在需要时使用session_regenerate_id重新生成它们.

Session id persistence

So far we have not been concerned at all with the exact values of each session id, only with the requirement that the data should exist as long as we need them to. Be aware that in the (unlikely) case that session ids matter to you, care must be taken to regenerate them with session_regenerate_id when required.

这篇关于如何在PHP中更改会话超时?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

07-31 21:50