Posted by Jochem Maas on 08/05/05 01:16

Suhas wrote:
> Hello,
> I am trying to understand how sessions work. I have this code. My
> understanding is after 1 sec of script completion, (may be little
> after that), the session should destroy.
>
> I understand that it is huge overhead for server, not planning to do
> this but want to understand how it really works.
>
> This server uses cookie to store session. Setings in php.ini file are
> defaut (1440 and probility is 1)
>
>
> ini_set('session.auto_start', '0');

this ini setting can onyl be set before php
starts - setting inside your script does nothing. I THINK.

> session_id('SSP');

I wouldn't make the call to session_id() - not like that
anyway - insecure springs to mind - read more here:
http://php.net/session_id

IHMO you should just let php handle session id generation.

> session_cache_limiter("nocache");

this function call determine the kind of
caching headers that will be sent.
yuor pages should not be cached by the browser
or any intermediary proxy.

> ini_set('session.cookie_lifetime', '0');

this sets you session cookie to last for as long as you
keep the browser open.

> ini_set('session.gc_probability', '100');
> ini_set('session.gc_divisor', '100');
> ini_set('session.gc_maxlifetime', '1');

these 3 ini setting have to do with garbage collection
(gc) of stale session data (files) - the numbers you use
100 & 100 mean that the garbage collector will be run
at the end of every request - thats very bad for performance.

session.gc_maxlifetime doesn't seem to be being honored ..
this may be down to your version of php, your OS, a combination
thereof - or it may even be that the value is too small to
be meaningful. or the session.cookie_lifetime may be
interfering - I just don't know but seems _like_ incorrect behaviour

bare in mind that although you are calling ini_set() on all these
setting that does not mean that any of the values you give are actually
being set successfully - use ini_get() after your call to session_start()
and echo out the results to determine what values are actually in
affect.

> session_start();

indeed - you must call session_start() before trying to
use $_SESSION
>
> if(!session_is_registered('count'))
> session_register('count');
>
> echo ++$_SESSION['count'];

don't mix the use session_register() and the $_SESSION
superglobal - in fact just use the $_SESSION superglobal
and forget session_reigster completely i.e.
you can just do:

if (!isset($_SESSION['count'])) {
$_SESSION['count'] = 0;
}

$_SESSION['count']++;

>
> Any help will be appriciated!

HTH (I might need correcting on some of the details - anyone
care to chip in?)

>
> Thanks
> SP
>

[Back to original message]