session的使用

The track_vars and register_globals configuration settings influence how the session variables get stored and restored

如果激活，则环境变量，GET，POST，Cookie 和 Server 变量都能够分别在全局关联数组中找到：$_ENV，$_GET，$_POST，$_COOKIE 和 $_SERVER。

注意自 PHP 4.0.3 起，track_vars 总是打开的。

If register_globals is disabled, only members of the global associative array $_SESSION can be registered as session variables. The restored session variables will only be available in the array $_SESSION.

Use of $_SESSION (or $HTTP_SESSION_VARS with PHP 4.0.6 or less) is recommended for improved security and code readability. With $_SESSION, there is no need to use the session_register(), session_unregister(), session_is_registered() functions. Session variables are accessible like any other variables.

Example 2. Registering a variable with $_SESSION.

<?php
session_start();
// Use $HTTP_SESSION_VARS with PHP 4.0.6 or less
if (!isset($_SESSION['count'])) {
    $_SESSION['count'] = 0;
} else {
    $_SESSION['count']++;
}
?>

Example 3. Unregistering a variable with $_SESSION.

<?php
session_start();
// Use $HTTP_SESSION_VARS with PHP 4.0.6 or less
unset($_SESSION['count']);
?>

If you are using $HTTP_SESSION_VARS/$_SESSION and disable register_globals, do not use session_register(), session_is_registered() and session_unregister().

If you enable register_globals, session_unregister() should be used since session variables are registered as global variables when session data is deserialized. Disabling register_globals is recommended for both security and performance reason.

Example 4. Registering a variable with register_globals enabled

<?php
if (!session_is_registered('count')) {
    session_register("count");
    $count = 0;
}
else {
    $count++;
}
?>

If both track_vars and register_globals are enabled, then the globals variables and the $HTTP_SESSION_VARS/$_SESSION entries will reference the same value for already registered variables.

If user use session_register() to register session variable, $HTTP_SESSION_VARS/$_SESSION will not have these variable in array until it is loaded from session storage. (i.e. until next request)

Passing the Session ID

There are two methods to propagate a session id:

• Cookies

• URL parameter

The session module supports both methods. Cookies are optimal, but since they are not reliable (clients are not bound to accept them), we cannot rely on them. The second method embeds the session id directly into URLs.

PHP is capable of doing this transparently when compiled with --enable-trans-sid. If you enable this option, relative URIs will be changed to contain the session id automatically. Alternatively, you can use the constant SID which is defined, if the client did not send the appropriate cookie. SID is either of the form session_name=session_id or is an empty string.