I am a little confused about the session management in PHP. A lot of focus in the docs is devoted to the magic PHPSESSID cookie. I program Ajax and am actually thinking of getting rid of cookies. I understand that I can do so in the php.ini file. It also seems possible to suppress the PHPSESSID by means of a simple ini_set(“session.use_cookies”,0) at the top of my login script. Don’t get me wrong, I do want sessions. My Ajax hand-shakes will, where required, POST the session id. From the cookie-centric docs, one just gains the impression that all session expiry handling is done via the time stamp on the cookie. I am unclear on how exactly a timestamp of a cookie can prompt the server to expire the session cache over a stateless connection? Put another way, in a cookie-less setup, how can I instruct the server to clean down the session cache after a while? Would I still be calling session_set_cookie_params? Seems quaint…
If I understand well, then I should call sessionID(sid) and check the return for “” to make out whether “sid” is dead. Correct?
Thanks.
session.cookie_lifetime influences the expires parameter of the cookie that session_start() sets. It’s like
setcookie(<sessionname>, <sessionid>, time()+<session.cookie_lifetime>, ...). It advises the client not to use that cookie aftertime()+<session.cookie_lifetime>(but it can of course remove it earlier, not accept it at all or ignore the “expires” parameter altogether).The session id is used to select the “right” session data. I.e. if a request does not contain the correct session id the session data is not available to the php script.
If only that single client knows the session id (as it should be) and throws away the cookie that contains the session id the session data is unreachable. Unreachable but still present on the server.
When a script invokes session_start() there is a chance that the garbage collection is started, see session.gc_probability and session.gc_divisor.
Then the flat-file session handler loops through all files in the directory specified by session.save_path and checks the “last modified time” (mtime). If that timestamp is older than now-session.gc_maxlifetime the file is removed (unless this file corresponds to the current session id, in which case it doesn’t matter how old the file is).
That takes some time and is therefore not performed on each call to session_start().
I.e. there can be session files on the server that are older than both session.cookie_lifetime and session.gc_maxlifetime.
session.cookie_lifetime signals the client that there is no need to store the cookie/id after x seconds.
session.gc_maxlifetime signals the session mechanism that there is no need to keep the data after x seconds.
But as long as the data remains on the server it can be accessed if the respective session-id is sent.