By default, the time that a session handler remains on the client side is set to 0, meaning that the session
identifier will be "lost" when the web browser that initiated the original session handler page is shut down.
This can be changed in the php.ini file by the configuration setting of
session.cookie_lifetime. This is one of many configuration options that must be considered
when setting up session handling for the specific instance of PHP:
• session.save_handler - This configuration options defines the method in which the storage of
the session will be handled. There are three options to choose from:
o files - This method is the default and the most common. When this setting is set, the session
handler uses files on the operating system to track the session information.
o mm - This method stores the session information in shared RAM. Of the three, this option is the
fastest but also the most volatile.
o user - This method refers to using user-defined functions to handle the session information.
This would be the option to choose when using MySQL, or any other medium, to handle the
storage and management of the session information.
• session.save_path - The value assigned to this option (which is /tmp by default) determines
the location where the files associated with the session ID will be stored. Two things to keep in mind
when setting this path. First, can the system write to this directory and second, is this location a safe
directory. Using the document root of the web server is not acceptable and in fact even the /tmp
directory is unacceptable because of its ability to be viewed by other users on the server.
• session.use_cookies - If this value is set to 1, PHP will only use cookies when storing the
session ID. This means that the session ID will not be removed from the server when the web browser
is closed (thus releasing the session ID). The session ID will remain on the system until other settings
(or scripting) tell PHP to terminate the session ID. If this value is set to 0, then URL rewriting will be
used. URL rewriting is a transparent method on which the session ID will be tracked from web page
to web page (on the same site) by adding its value to the URL for the next web page to read. This of
course works only for individual site visits and no persistence beyond the visit will remain (Basically
the host will be friendly while the user is visiting, but will forget about the user and their preferences
when they leave).
• session.use_only_cookies - If this value is set to 1, only cookies can be used for storing
session ID's (No URL Rewriting will be allowed thus preventing any possible attacks of stealing a
session ID in the URL). If this value is set to 0, both URL Rewriting and cookies can be utilized.
• session.name - This configuration option determines the default name of the cookie that will be
used. The default name assigned to this configuration option is PHPSESSID; however, this can be
named to better associate the session handling name of the application that it will be supporting. In
addition, the session name can also be set for the specific application component setting it with the
session_name() function.
• session.cookie_lifetime - The value that is entered here determines how long a cookie is
valid in seconds. If it was necessary to have a cookie last 7 days, then the number would need to be
set to 604800 (60*60*24*7).
• session.cookie_path - The value that is entered here determines the path (and all subsequent
directories) on which cookies are valid for the operating system running PHP. An entry such as / on
www.mysql.com will include the root directory of the web server and all subsequent directories.
However, an entry such as /training on www.mysql.com will only allow cookies in the training
path (www.mysql.com/training and all subsequent directories)
• session.cookie_domain - This configuration option sets the domain for which the cookie is
valid and ensures that other domains are not able to read the domains cookies.
session.gc_probability - When a session is created, a flat-file is created on the server and
will accumulate over time. PHP has a built in "load balancing" feature (called garbage collection)
that will take care of these files and delete old files from time to time. This "load balancing" feature
is managed by three configuration options that ensure old session files are not deleted on each and
every session request, but with a certain probability. This configuration option,
session.gc_probability, is the numerator component of the probability ratio used to calculate the
frequency in which the garbage collection routine is invoked (1/x).
• session.gc_divisor - This configuration option is the denominator component of the
probability ratio used to calculate the frequency in which the garbage collection routine is invoked
(x/100).
• session.gc_maxlifetime - This configuration option sets the maximum age (in seconds) of
data before it is considered garbage and is irretrievably destroyed. The default is 1440 seconds (or 24
minutes).
identifier will be "lost" when the web browser that initiated the original session handler page is shut down.
This can be changed in the php.ini file by the configuration setting of
session.cookie_lifetime. This is one of many configuration options that must be considered
when setting up session handling for the specific instance of PHP:
• session.save_handler - This configuration options defines the method in which the storage of
the session will be handled. There are three options to choose from:
o files - This method is the default and the most common. When this setting is set, the session
handler uses files on the operating system to track the session information.
o mm - This method stores the session information in shared RAM. Of the three, this option is the
fastest but also the most volatile.
o user - This method refers to using user-defined functions to handle the session information.
This would be the option to choose when using MySQL, or any other medium, to handle the
storage and management of the session information.
• session.save_path - The value assigned to this option (which is /tmp by default) determines
the location where the files associated with the session ID will be stored. Two things to keep in mind
when setting this path. First, can the system write to this directory and second, is this location a safe
directory. Using the document root of the web server is not acceptable and in fact even the /tmp
directory is unacceptable because of its ability to be viewed by other users on the server.
• session.use_cookies - If this value is set to 1, PHP will only use cookies when storing the
session ID. This means that the session ID will not be removed from the server when the web browser
is closed (thus releasing the session ID). The session ID will remain on the system until other settings
(or scripting) tell PHP to terminate the session ID. If this value is set to 0, then URL rewriting will be
used. URL rewriting is a transparent method on which the session ID will be tracked from web page
to web page (on the same site) by adding its value to the URL for the next web page to read. This of
course works only for individual site visits and no persistence beyond the visit will remain (Basically
the host will be friendly while the user is visiting, but will forget about the user and their preferences
when they leave).
• session.use_only_cookies - If this value is set to 1, only cookies can be used for storing
session ID's (No URL Rewriting will be allowed thus preventing any possible attacks of stealing a
session ID in the URL). If this value is set to 0, both URL Rewriting and cookies can be utilized.
• session.name - This configuration option determines the default name of the cookie that will be
used. The default name assigned to this configuration option is PHPSESSID; however, this can be
named to better associate the session handling name of the application that it will be supporting. In
addition, the session name can also be set for the specific application component setting it with the
session_name() function.
• session.cookie_lifetime - The value that is entered here determines how long a cookie is
valid in seconds. If it was necessary to have a cookie last 7 days, then the number would need to be
set to 604800 (60*60*24*7).
• session.cookie_path - The value that is entered here determines the path (and all subsequent
directories) on which cookies are valid for the operating system running PHP. An entry such as / on
www.mysql.com will include the root directory of the web server and all subsequent directories.
However, an entry such as /training on www.mysql.com will only allow cookies in the training
path (www.mysql.com/training and all subsequent directories)
• session.cookie_domain - This configuration option sets the domain for which the cookie is
valid and ensures that other domains are not able to read the domains cookies.
session.gc_probability - When a session is created, a flat-file is created on the server and
will accumulate over time. PHP has a built in "load balancing" feature (called garbage collection)
that will take care of these files and delete old files from time to time. This "load balancing" feature
is managed by three configuration options that ensure old session files are not deleted on each and
every session request, but with a certain probability. This configuration option,
session.gc_probability, is the numerator component of the probability ratio used to calculate the
frequency in which the garbage collection routine is invoked (1/x).
• session.gc_divisor - This configuration option is the denominator component of the
probability ratio used to calculate the frequency in which the garbage collection routine is invoked
(x/100).
• session.gc_maxlifetime - This configuration option sets the maximum age (in seconds) of
data before it is considered garbage and is irretrievably destroyed. The default is 1440 seconds (or 24
minutes).
Comments
Post a Comment