php[tek] 2017: Atlanta

Session Handling

add a note add a note

User Contributed Notes 6 notes

e dot mortoray at ecircle dot com
7 years ago
There is a nuance we found with session timing out although the user is still active in the session.  The problem has to do with never modifying the session variable.

The GC will clear the session data files based on their last modification time.  Thus if you never modify the session, you simply read from it, then the GC will eventually clean up.

To prevent this you need to ensure that your session is modified within the GC delete time.  You can accomplish this like below.

if( !isset($_SESSION['last_access']) || (time() - $_SESSION['last_access']) > 60 )
$_SESSION['last_access'] = time();

This will update the session every 60s to ensure that the modification date is altered.
bouvrette dot nicolas at gmail dot com
2 years ago
Be careful if you are updating to PHP 5.6 since the the Sessions's Write behavior changed.  It now only writes the session if you changed the data. So this means that if you rely on your session to update an activity time stamp on the server (to control session expiry) you will end up having issues. Here is a quick fix if you are implementing SessionHandlerInterface:

    public function close() {
        $this->write($this->id, serialize($_SESSION));
        return true;

Make sure you also use this:

        ini_set('session.serialize_handler', 'php_serialize'); // Force standard PHP functions handler for flexibility

More details here:

Request #17860 (Session write short circuit)
roberto at spadim dot com dot br
5 years ago
instead of memcache, you should consider using redis

it have KEYS command ( that can return all keys (like 'ls'/'dir' at php sessions directory)

it allow replication too (cluster use)

i don't know if anyone wrote a version of phpsessions using redis yet, but since memcache don't have KEYS command, it's hard to know if the users is connected (at app side) or what sessions still active (not expired/not logged)
elephant at punx dot pl
5 years ago
Please note, that database is NOT recommended for session storage. It can be a big performance bottleneck, especially in replicated environments.

For saving sessions, file handler seems to be very effective for most setups, except those situations:
- if performance is an issue, the directory which stores session files can be mounted as tmpfs (ram disk).
- if sharing sessions across multiple webservers is needed (in clustered environments), use memcache for storing session information (tip: you can setup more than one instance of memcache eliminate single point of failure). This method, however, sets a limitation of session size to 64k (this should be enough for most applications)
- don't use NFS for sharing session files between webservers, it does not handle locking correctly and can cause corruption of session data.
8 years ago
When you include a php file in your current script it's included, not processed separately, thus it's still within the same page and the current page hasn't finished processing.
Thus, session is not set yet. This is the expected behaviour.

If you need to load a page after setting session data, you should set session data and then send a redirection or refresh header (remember not to send anything, not even whitespace before sending headers).

Always consider session data to be updated after the next page load (as in http request completed).
Some Guy
8 years ago
Just some notes - it seems that php does the session writing after the script exits.
For example, if you set a bunch of session variables and then run session_regenerate_id() - the session variables are never written to the old session. The new session id is generated when you ask it to be generated, but the session exists only in memory until after the script exits - when the session is written and any and all session variables are written to it.

This caused me some confusion, as I'm running sessions in an sql database rather than flat file, trying to do any manipulation of the session database directly in a script where you have run session_regenerate_id() will fail for the new session ID because the insert hasn't been done yet, and setting any session variables will only be written to the new session, even if set before you regenerate the session ID.

Also - if using a database for sessions, make sure to use mysql_real_escape_string() before saving any session variables.
To Top