Cookie, Session Mechanism and Session Processing in PHP


Conversational mechanism

Cookie and Session are commonly used session tracing mechanisms in Web applications. Cookie determines user identity by recording in the browser and Session records information on the server.

Http protocol
HTTP protocol itself is stateless, that is to say, we can not determine the user identity of the request through HTTP protocol, so the usual way is to determine the session user identity through Cookie and Session mechanism.


Cookies are stored on the client side to record information. In fact, simply using Cookie can also track user sessions, but the security will be greatly reduced (for example:The roughest way is to write the user’s login username and password into cookie, verify the username and password every time, and decide whether to allow the next business process according to the result of verification.)。

Cookie creation and how to send to client:
Cookie creation: cookie is created by the server side (that is, the server decides what to write to cookie). In PHP, when the setCookie function is executed, cookies are written to the client by default.

setCookie('name', 'nameValue');
echo 'success';

When the above code is executed in the browser, cookies are written to the browser.
Cookie, Session Mechanism and Session Processing in PHP

Cookie use
Cookies are usually written after successful login and returned to the client. Next time, please
The cookie is brought in and the server verifies the session information by acquiring the cookie content.

Cookie, Session Mechanism and Session Processing in PHP

Cookie validity and cross-domain issues:
Cookies can be set to expire. By default, when the browser closes, cookies automatically fail.
Cookie has cross domain problems (browser homologous policy protection). For example, and are all under the first level domain name However, because of the difference between the two level domain names, cookie can not be used under (which is why the cookie and session mechanisms are not used in the front end separation project).

Cross-domain problem solving:
Cross-domain problems can be solved by setting a domain name that allows cookie access on the server or configuring a cross-domain solution that allows cookie access in nginx

header('Access-Control-Allow-Credentials: true');


Save user information on the server and track user’s session records.

Principle analysis:
When the browser requests the server through HTTP protocol, the server creates a session for the user. When a session is created, it checks whether it contains a unique session id, session Id.
(1) If the session Id exists, it means that a session has been created for the user. The session Id obtains user information from the session and performs the following business processes.
(2) If there is no session Id, it means that a session has not been created. The server will create a session, associate the unique session Id for the session, and return the session Id to the client.
Typically, sessions are used in conjunction with cookies, i.e. sessionId generated by sessions is written to browsers through cookies. When the browser next requests, it brings in cookies. The server obtains session Id through cookies, and then obtains session information.

Disable session Id Url rewriting of cookies:
When the browser disables cookies, session Id cannot be brought into the server through cookies. It can be transferred to the server by attaching session Id to the url.
In PHP, session. use_trans_sid = 1 in php. ini automatically attaches session Id to the URL for delivery if the browser disables cookies.

How PHP handles sessions:
By default, PHP stores sessions in the form of files, that is, when sessionId is generated, the corresponding server also generates a sess_sessionId file, in which session information is stored.
PHP supports setting session driver session_set_save_handler() function through session_set_save_handler() function, requiring custom session processing class to implement SessionHandler Interface interface (or session handler that has already implemented the interface).
For example, in tp5, three driving modes are implemented: redis / Memcache / memcached.

Cookie, Session Mechanism and Session Processing in PHP

Summary of Conversation Mechanisms:

Generally speaking, since HTTP protocol is stateless, a separate session tracking mechanism is needed to maintain user sessions. session stores user information tracking sessions on the server side and cookie stores user information on the client side. Session generates session Id on the server side. Usually, it needs to be stored through browser cookie to determine user session information.