In Chapter 10, we described the three characteristics of session management: storing session variables, matching these session variables to HTTP requests using a session identifier, and removing timed-out sessions with garbage collection. PHP session management largely takes care of these issues, and with the default configuration, you needn't worry how storage, session identification, and garbage collection are performed. To understand what we accomplish in this appendix, you should know a bit about what PHP does behind the scenes. You should also understand the layers within the PHP session support and how you can hook your own functions in. Figure F-2 shows how session variables are stored and retrieved when PHP runs an application script that uses session support. PHP session support is divided into two layers: the PHP session management layer provides the interface to session-based scripts, and the storage layer is responsible for reading and writing session variables in the session store. The storage layer in the default configuration works with files in a directory designated for PHP session storage. Figure F-2. PHP session managementWhen a script makes a call to session_start( ), the PHP session management layer reads the session ID from the HTTP request, starts a session by making open and read calls to the storage layer, and initializes the session variables in the $_SESSION array. The open call is responsible for opening the session store: the default implementation simply identifies the directory that stores the session file. The read call is responsible for finding and returning the serialized session variables associated with the session ID; we discuss serialization later in this section. When the script ends, the session management layer calls write and close functions to write the contents of the array $_SESSION back to the session store and close the session. The write function is responsible for finding the session file and writing the serialized session variables to that file. The close function formally closes the session store: in the default implementation, the close operation does nothing, as no close operation is required on a file system. The session management layer is responsible for serializing and deserializing the session variables. Serialization means that the variables are converted to strings that describe the variable name, its type, length, and value. When a script ends, the session variables in the array $_SESSION are serialized and passed as a single string to the write function to be saved in the session store. For example, if the array $_SESSION contains a string variable name, a float variable height, and an integer variable age; the serialized string might look like this: name|s:4:"Dave";height|d:1.86;age|i:38; When the read function identifies a session file, it simply returns the serialized string back to the session management layer to be deserialized into the $_SESSION array. The PHP session storage layer also implements functions that destroy a session when a script calls session_destroy( ). It also performs garbage collection to remove timed-out sessions. Unlike the other storage functions, garbage collection is not tied directly to an event in the application script. Instead the session management layer calls garbage collection randomly when a call is made to session_start( ). The probability that garbage collection is called is defined by the configuration parameters session.gc_probability and session.gc_dividend. For a more detailed discussion about garbage collection see Chapter 10. F.2.1 PHP Session Management Storage MethodsDifferent storage strategies can be used for session management. PHP can be configured to store session variables in files on disk (the default method), in memory, or in a user-defined way. The storage method used is configured by the session.save_handler parameter in the php.ini file. The values the session.save_handler parameter can take are:
F.2.2 Building User-Defined Storage HandlersBy implementing user-defined storage handlers, a developer can modify how PHP sessions are stored without needing to change any application logic. The only modification required in a PHP script is an additional require directive that specifies the use of the user-defined session management handlers. When the PHP session.save_handler parameter is set to user, you are basically writing your own replacement for the right-hand side of Figure F-2 shown earlier. Everything from the column showing the open through close calls to the Session Store is up to you. PHP must be provided with a set of functions that provide the low-level session storage support. These functions replace the default storage layer illustrated in Figure F-2. The functions that you need to write, and the prototypes they must conform to, are listed below:
The return types and the parameters passed to the functions must conform to the prototypes listed here, but you can set the actual function names to whatever you like. However, these functions need to be registered with PHP using session_set_save_handler( ) :
|