[英]When and where should I use session_start?
Exactly when and where should I use session_start()
in PHP? 究竟应该在何时何地在PHP中使用session_start()
?
For example, say I have a login script that sets a session variable to tell whether or not the user is logged in. Must I then put the session_start()
at the top of the script, or only right before I actually set the session variable if the login was successful? 例如,假设我有一个登录脚本,该脚本设置了一个会话变量以告知用户是否已登录。然后必须将session_start()
放在脚本的顶部,还是仅在实际设置会话变量之前登录是否成功?
<?php
// session_start(); here?
if (login($username, $password)) {
// session_start(); or here?
$_SESSION["username"] = $username;
}
?>
Another case is this, according to w3schools 根据w3schools的说法,另一种情况是
Note: The session_start() function must be the very first thing in your document. 注意: session_start()函数必须是文档中的第一件事。 Before any HTML tags. 在任何HTML标记之前。
Unless you have output buffering enabled, the session_start() must come before anything other than headers are sent to the browser (as it sets a cookie in the header). 除非您启用了输出缓冲,否则session_start() 必须在将标头以外的任何内容发送到浏览器之前进行(因为它在标头中设置了cookie)。
It must come before you attempt to reference the $_SESSION data. 它必须在您尝试引用$ _SESSION数据之前出现。
In your example there are no html tags being output before either instance - so both would work. 在您的示例中,在任何一个实例之前都没有html标记输出-因此两者都可以工作。
There some cost to opening a session, so if you are doing additional, non-session based validation of the request, then deferring session_start()
till these checks have passed does give you a bit more resillience against DOS attacks. 打开会话会有一定的成本,因此,如果您要对请求进行其他基于非会话的验证,则将session_start()
推迟到这些检查通过后才能使您更灵活地抵御DOS攻击。
As others have said, the absolute requirements of what you must do are: 正如其他人所说,您必须做的绝对要求是:
session_start
before you read or write to $_SESSION
(otherwise it will just be an ordinary array and not saved anywhere). 在读取或写入$_SESSION
之前,必须运行session_start
(否则它将只是一个普通数组,不会保存在任何地方)。 session_start
twice during a single script execution (page load) unless you use session_write_close
to close it in between. 除非您使用session_write_close
将其关闭,否则在一个脚本执行(页面加载)期间,您不得运行session_start
两次。 There is an extra rule that technically has exceptions, but is best treated as absolute: 还有一条额外的规则,从技术上讲有例外,但最好将其视为绝对的:
echo
, HTML outside PHP blocks, etc), because PHP may not be able to send cookies to the browser if the server has already started sending the content. 在编写任何输出( echo
,PHP块外的HTML等)之后,请勿启动会话,因为如果服务器已经开始发送内容,则PHP可能无法将cookie发送到浏览器。 There are two reasons you might want to avoid starting the session: 您可能要避免启动会话有两个原因:
After that, it becomes a matter of style and architecture, but the rule of thumb that covers most of the above is "as soon as possible, if you're sure the page needs it". 在那之后,这成为样式和体系结构的问题,但是涵盖以上大部分内容的经验法则是“如果确定页面需要,请尽快”。
Starting the session at the top of the page is most of the times the best. 在大多数情况下,在页面顶部开始会话是最好的。 But if you don't need the session for the whole document/code, you could always put it, as in this example, after the if() clause. 但是,如果您不需要整个文档/代码的会话,则可以始终将其放置在if()子句之后,如本例所示。
The session_start() function can go anywhere in your code. session_start()函数可以在代码中的任何位置。 You should just place it at the beginning of your document for consistency and call it a day. 您应该将其放置在文档的开头以保持一致性,并称之为一天。 If you have a separate database or config file you are including on all your login/database driven pages, you should place it in there so you don't have to recode it into every page. 如果您有单独的数据库或配置文件,则包含在所有登录/数据库驱动的页面中,则应将其放在其中,这样就不必将其重新编码为每个页面。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.