Session Management Over the Web (Cont.) - Page 7
April 24, 2002
Garbage Collection
While it is good practice to build applications that provide a way to end a
session--with a script that makes a call to session_destroy(
)--there is no guarantee that a user will log out by requesting the
appropriate PHP script. PHP session management has a built-in garbage
collection mechanism that ensures unused session files are eventually cleaned
up. This is important for two reasons: it prevents the directory from filling
up with session files that can cause performance to degrade and, more
importantly, it reduces the risk of someone guessing session IDs and hijacking
an old unused session.
There are two parameters that control garbage collection:
session.gc_maxlifetime and session.gc_probability,
both defined in the php.ini file. A garbage collection process is run
when a session is initialized, for example, when session_start( )
is called. Each session is examined by the garbage collection process, and any
sessions that have not been accessed for a specified period of time are
removed. This period is specified as seconds of inactivity in the
gc_maxlifetime parameter--the default value being 1,440 seconds.
The file-based session management uses the update time of the file to
determine the last access. To prevent the garbage collection process from
removing active session files, PHP must modify the update time of the file
when session variables are read, not just when they are written.
The garbage collection process can become expensive to run, especially in
sites with high numbers of users, because the last-modified date of every
session file must be examined. The second parameter
gc_probability sets the percentage probability that the garbage
collection process will be activated. A setting of 100% ensures that sessions
are examined for garbage collection with every session initialization. The
default value of 1% means that garbage collection occurs with a probability of
1 in 100.[1]
Depending on the requirements, some figure between these two extremes balances
the needs of the application and performance. Unless a site is receiving less
that 1,000 hits per day, the probability should be set quite low. For example,
an application that receives 1,000 hits in a 10-hour period with a
gc_probability setting of 10% runs the garbage collection
function, on average, once every 6 minutes. Setting the
gc_probability too high adds unnecessary processing load on the
server.
When it is important to prevent users from accessing old sessions, the
gc_probability should be increased. For example, the default
session configuration sets up a cookie in the browser to be deleted when the
browser program is terminated. This prevents a user from accidentally
reconnecting to an old session. However, if the session ID is encoded into a
URL, a bookmarked page can find an old session if it still exists. If session
IDs are passed using the GET method, you should increase the
probability of running garbage collection.
Configuration of PHP Session Management
There are several parameters that can be manipulated to change the behavior
of the PHP session management. These parameters are set in the
php.ini file in the section headed [Session].
session.save_handler
- This parameter specifies the method used by PHP to store and retrieve
session variables. The default value is
files, to indicate the
use of session files, as described in the previous sections. The other
values that this parameter can have are: mm to store and
retrieve variables from shared memory, and user to store and
retrieve variables with user-defined handlers. In Appendix D we describe how
to create user-defined handlers to store session variables in a MySQL
database.
session.save_path
- This parameter specifies the directory in which session files are saved
when the
session.save_handler is set to files. The
default value is /tmp. When implementing user-defined
save_handler methods, the value of this parameter is passed as
an argument to the function that opens a session. User-defined handlers are
discussed in Appendix D.
session.use_cookies
- This parameter determines if PHP sets a cookie to hold the session ID.
Setting this parameter to
0 stops PHP from setting cookies and
may be considered for the reasons discussed in the previous section. The
default value is 1, meaning that a cookie stores the session
ID.
session.name
- This parameter controls the name of the cookie,
GET
attribute, or POST attribute that is used to hold the session
ID. The default is PHPSESSID, and there is no reason to change
this setting unless there is a name collision with another variable.
session.auto_start
- With the default value of
0 for this setting, PHP
initializes a session only when a session call such as
session_start( ) or session_register( ) is made. If
this parameter is set to 1, sessions are automatically
initialized if a session ID is found in the request. Allowing sessions to
autostart adds unnecessary overhead if session values aren't required for
all scripts.
session.cookie_lifetime
- This parameter holds the life of a session cookie in seconds and is used
by PHP when setting the expiry date and time of a cookie. The default value
of
0 sets up a session cookie that lasts only while the browser
program is running. Setting this value to a number of seconds other than
0 sets up the cookie with an expiry date and time. The expiry
date and time of the cookie is set as an absolute date and time, calculated
by adding the cookie_lifetime value to the current date and
time on the server machine.[2]
session.cookie_path
- This parameter sets the valid path for a cookie. The default value is
/, which means that browsers include the session cookie in
requests for resources in all paths for the cookie's domain. Setting this
value to the path of the session-based scripts can reduce the number of
requests that need to include the cookie. For example, setting the parameter
to /winestore instructs the browser to include the
session cookie only with requests that start with http://www.webdatabasebook.com/winestore/.
session.cookie_domain
- This parameter can override the domain for which the cookie is valid.
The default is a blank string, meaning that the cookie is set with the
domain of the machine running the web server, and the browser includes the
cookie only in requests sent to that domain.
session.cookie_secure
- This parameter sets the secure flag of a cookie, which prevents a
browser from sending the session cookie over nonencrypted connections. When
this setting is
1, the browser sends the session cookie over a
network connection that is protected using the Secure Sockets Layer, SSL. We
discuss SSL in the next chapter and provide installation instructions in
Appendix A. The default value of 0 allows a browser to send the
session cookie over encrypted and nonencrypted services.
session.serialize_handler
- This parameter sets up the method by which variables are serialized,
that is, how they are converted into a stream of bytes suitable for the
chosen session store. The default value is
php, which indicates
use of the standard PHP serialization functions. An alternative is
wddx, which uses the WDDX libraries that encode variables as
XML.
session.gc_probability
- This parameter determines the probability that the garbage collection
process will be performed when a session is initialized. The default value
of
1 sets a 1% chance of garbage collection. See the discussion
in the previous section for a full explanation of garbage collection.
session.gc_maxlifetime
- This parameter sets the life of a session in number of seconds. The
default value is
1440, or 24 minutes. Garbage collection
destroys a session that has been inactive for this period. See the
discussion in the previous section for a full explanation of garbage
collection.
session.referer_check
- This parameter can restrict the creation of sessions to requests that
have the HTTP
Referer: header field set. This is a useful
feature if access to an application is allowed only by following a hypertext
link from a particular page such as a welcome page. If the HTTP
Referer header field doesn't match the value of this parameter,
PHP creates a session, but the session is marked as invalid and unusable.
The default value of a blank string applies no restriction.
session.entropy_file
- PHP generates the session IDs from a random number seeded by the system
date and time. Because the algorithm is known--it can be looked up in the
PHP source code--it makes guessing session IDs a little easier. If this
parameter is set to the name of a file, the first n bytes from that
file (where n is specified by the
session.entropy_length parameter) make the ID less predictable.
The default value is left blank, meaning the default seeding method is used.
One alternative is to use /dev/urandom, a special Unix device
that produces a pseudorandom number.
session.entropy_length
- This parameter is the number of bytes to use when generating a session
ID from the file specified by
session.entropy_file. The default
value is 0, the required value when no entropy file is set.
session.cache_limiter
- This parameter controls how responses can be cached by the browser. The
default is
nocache, meaning that PHP sets up the HTTP response
to avoid browser caching. PHP sets the HTTP/1.1-defined header field
Cache-Control to no-cache, the HTTP/1.0 header
field Pragma to no-cache, and--for good
measure--the Expires header field to Thu, 19 Nov 1981
08:52:00 GMT. Applications that use sessions--and even
stateless web database applications--can be adversely affected when browsers
cache pages. The other values allowed, private and
public, allow responses to be cached. The distinction between
private and public is apparent when a proxy server caches responses. See
Appendix B for more details about HTTP caching.
session.cache_expire
- This parameter is used when caching is allowed; it sets the expiry date
and time of the response to be the current system time plus the parameter
value in minutes. The default
180.
Session Management Over the Web (Cont.) - Page 6
Web Database Applications with PHP & MySQL
Case Study: Adding Sessions to the Winestore - Page 8
|
