2018-06-22 08:26:30
session指的是默认php提供的文件session形式
当前我的认识是,php并不记录session的过期时间,但是php.ini中有session的垃圾回收机制
; Defines the probability that the 'garbage collection' process is started ; on every session initialization. The probability is calculated by using ; gc_probability/gc_divisor. Where session.gc_probability is the numerator ; and gc_divisor is the denominator in the equation. Setting this value to 1 ; when the session.gc_divisor value is 100 will give you approximately a 1% chance ; the gc will run on any give request. ; Default Value: 1 ; Development Value: 1 ; Production Value: 1 ; http://php.net/session.gc-probability session.gc_probability = 1 ; Defines the probability that the 'garbage collection' process is started on every ; session initialization. The probability is calculated by using the following equation: ; gc_probability/gc_divisor. Where session.gc_probability is the numerator and ; session.gc_divisor is the denominator in the equation. Setting this value to 1 ; when the session.gc_divisor value is 100 will give you approximately a 1% chance ; the gc will run on any give request. Increasing this value to 1000 will give you ; a 0.1% chance the gc will run on any give request. For high volume production servers, ; this is a more efficient approach. ; Default Value: 100 ; Development Value: 1000 ; Production Value: 1000 ; http://php.net/session.gc-divisor session.gc_divisor = 1000
并不是每次都精确的,当前的配置session_start()触发session回收的概率为1/1000,应为每次读取session都会更新这个session文件的修改时间,通过检测修改时间来检测是否过期,也就是即使设置了很短的session过期时间但是这个session很可能在预定的过期时间后仍然存在。
后台session设置了过期时间,为什么测试后发现可以精确的过期,应为浏览器端请求在session过期后,未携带phpsession做的请求,所以php会重新生成一个sessionid,这说明session的过期时间并不可靠
PHPSESSID=8s0dgoui98b623tviibb9dm0pt; path=/; domain=localhost; Expires=Fri, 22 Jun 2018 00:31:44 GMT;
用一个旧的cookie把过期时间延长超过后台设置的session过期时间后发现仍可访问