[pmwiki-devel] Sessions questions...

The Editor editor at fast.st
Fri May 11 11:27:10 CDT 2007 

On 5/11/07, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> On Fri, May 11, 2007 at 11:33:31AM -0400, The Editor wrote:
> > I'm doing some interesting work with sessions but have a couple
> > general questions.
> >
> > To set a session unique to each field, you would use
> >
> > session_id($id);
> >
> > then you would call
> >
> > session_start()
> >
> > then you would read or write values as needed
> >
> > Then to close you would use
> >
> > session_write_close()
> >
> > is that correct?
>
> Yes.
>
> > Is it best to start the session just once, at the beginning and close
> > at the end, or start and close several times in a long script?  And if
> > the first, will the same session_id be used each time?
>
> PHP locks session files, so that only one PHP instance may have
> the session file open at any given time.  Normally this isn't an
> issue, but if a visitor is using multiple tabs to access the
> same site (i.e., in the same session), then keeping the session
> open during a long script will slow things down significantly.
> (This is why PmWiki attempts to close the session whenever it
> safely can.)
>
> However, it's also important to be very careful about using
> session_write_close().  If a function you write does:
>
>    function myfunc() {
>       @session_start();
>       ##  some stuff with $_SESSION
>       session_write_close();
>    }
>
> and a caller to myfunc is doing something like:
>
>    function someotherfunc() {
>       @session_start();
>       ##  get some values from $_SESSION
>       myfunc();
>       ##  store some values back into $_SESSION
>    }
>
> then the "store some more values back into $_SESSION" performed
> by someotherfunc() won't be saved in the session, because myfunc()
> closed the session.  And it won't be obvious to the person writing
> or looking at the someotherfunc() call that the session was
> being closed.
>
> For this reason, PmWiki always uses:
>
>    $sid = session_id();
>    @start_session();
>    ...
>    if (!$sid) session_write_close();
>
> which says to close the session ONLY if we know that we're
> the function that opened it.  If the session was already open
> prior to the session start, or if we can't tell if the session
> was open, then we don't close it (because some other calling
> function might be relying on the session being open).
>
> It's a pain, but PHP doesn't provide sufficient information to
> be able to reliably determine if a session is currently open.
>
> > Does the session id have to be unique for each user?  And if so how do
> > you do that?
>
> Yes, the session id needs to be unique for each user.  Using uniqid()
> might help.
>
> > Is there a way to renew a session's "timer" so if they are on your
> > site a long time, it gets renewed each time they load a page?
>
> I think this happens by default whenever the session is opened
> and closed.
>
> Pm


Wow, thanks Pm!  I really appreciate you taking the time to explain
this all to me. Very clear and helpful!

Cheers,
Dan

More information about the pmwiki-devel mailing list