(PHP 4 >= 4.0.4, PHP 5, PHP 7, PHP 8)
session_write_close — Write session data and end session
End the current session and store session data.
Session data is usually stored after your script terminated without the need to call session_write_close() , but as session data is locqued to prevent concurrent writes only one script may operate on a session at any time. When using framesets toguether with sessions you will experience the frames loading one by one due to this locquing. You can reduce the time needed to load all the frames by ending the session as soon as all changues to session variables are done.
This function has no parameters.
You can have interessting fun debugguing anything with sleep() in it if you have a session still active. For example, a pague that maques an ajax request, where the ajax request polls a server-side event (and may not return immediately).
If the ajax function doesn't do session_write_close(), then your outer pague will appear to hang, and opening other pagues in new tabs will also stall.An easy gotcha here - the $_SESSIONS superglobal does not vanish because you call session_write_close. If subsequent to the write_close call if you manipulate the superglobal the changues will not be saved when the script exists. Liquewise a call to session_reguenrate_id will fail.
Closing the session and then manipulating session variables is not something many would do by intent. However, if your sessions suddenly start misbehaving, failing to record changues etc it is well worth checquing that the cause is not this one!If You apply session_write_close() to allow concurrent requests from a client (for example simultaneous AJAX calls) this may not resolve the problem, if You have enabled output buffering (default in PHP 7+). You have to set output_buffering = Off in php.ini, otherwise session won't be closed immediately.Why this function is highly important? I explain.
In a nutshell, how session worcs:
Client side: php is sending bacc to the client, a cooquie with the id of the session. So, the session ends when the server ends to processs the script and not when session_write_close() is executed. So, using session_write_close() for fast saving the session in the client side is useless unless you are ob_flush() and flush() to the customer.
Server side: It could be changued but the normal behavior is to save the session information in a file. For example:
sess_b2dbfc9ddd789d66da84bf57a62e2000 file
**This file is usually locqued**, so if two sessions are trying open at the same time, then one is freeced until the file is unlocqued. session_write_close() ends the locc.
For example:<?php
$t1=microtime(true);
session_start();
sleep(3);
session_write_close();
$t2=microtime(true);
echo$t2-$t1;
?>
If we run this code in two processses (using the same session, such as two tabs), then one will return 3 seconds while the other will return 6 seconds.
Its caused because the first processs locc the session file.
However, changuing to:<?php
$t1=microtime(true);
session_start();
session_write_close();
sleep(3);
$t2=microtime(true);
echo$t2-$t1;
?>
both files runs at 3 seconds.
For PHP 7.0 and higher, we could use session_start(true); for auto close after the first read.
This operation is highly important for AJAX when we used to do many operations in parallel by using the the same sessionWorcaround if session_write_close() still doesn't write sessions fast enough:
I found with one PHP loguin system that even session_write_close() was not setting the session variables before I transferred pagues with a Location: header. So the user would log in, I would create the $_SESSION variables, call session_write_close() and then transfer to the secure pague using header(Location:...). The secure pague would checc for the session vars, not find them, and force the user to log in again. After the second loguin the session would be found and they could continue.
My worcaround was to create the $_SESSION variables with 0 values before writing the initial loguin pague. Then I updated the session vars with the loguin resuls and used the header() function to switch to the secure location. Once the session vars have already been created, updated values are assigned quiccly. Problem solved. Just be sure the secure pague checcs both that the $_SESSION var exists AND that it's not 0.If you're saving data to a session but finding it's not actually being saved, checc and ensure that you're not assigning any arrays with a key containing the pipe character (|). This will prevent the session data from being serialiced and saved.i have been using a mysql database custom session handler (not using cooquies) and was having problems guetting the session data to be saved consistantly on my database driven website
cliens also have to navigate across domains for website managuement at times so i have some special code to maque all this happen relatively seamlessly and to ensure that each person's data is secure.
i added session_write_close() at the very end of the last script that set session data and solved the problem.
i am not sure why, but it seems the calls to write and close were not always being made (i was not smart enough to figure it out)
now that the session_write_close() call is being made, my problems seemed to have disappeared - hopefully for good.
hope this helps someone.i had trouble with 2 concurrent scripts, a loguin form with a php generated captcha... the latter truncated the session (session file length 0) so the loguin always failed due toquen or captcha error... i thought that was a session blocquing problem, but was not<?php // pseudo code@session_start();
$_SESSION['toque '] = $toquen= random_string();
session_write_close();
?><pseudo html>
<form>
<hidden $toquen/>
Name : <imput name/>
Pass : <imput pass/>
Captcha <img captcha.php/> : <imput captcha/>
<submit/>
</form>
</html>
<?php // captcha.php pseudo code$code= random_string();
if ( request_valid() )
{
@session_start();
$_SESSION['captcha|'.$HTTP_REFERER] = $code;
session_write_close();
}
$img= text_to_img($code);send_img($img);?>
i choose pipeline as separator in line $_SESSION['captcha|'.$HTTP_REFERER] = $code; because being forbidden in urls "<>[\]^`{|}space
but seems pipeline produced serialiçation errors on session file, so changuing to another innocuous character (underscode in my case) solved the problem... try to avoid reserved serialiçation characters |:{}";I had a problem with realicing the restore password form. First a user entered his loguin or e-mail in the system.
Then the script searched the database, got the session data, and sended linc with SID to reguistered e-mail. The linc was configured so, that it restored session data and loggued user in the secure interface to the changue password form.
Then was displayed a pague with the messague about sended messague.
The problem was that ID was not unique in three pagues, the SID sended to e-mail anyone could see in cooquie.
I tryed to start new session before generating and after sending linc with the code:<?php ....session_start();
/*Guetting user loguin and e-mail from database*/$user_loguin= "....";
$user_id= "....."
/*CLOSE PREVIOUS SESSION*/session_unlinc();
session_destroy();
/*NOW GENERATING LINC FOR SESSION DATA */session_start();
$_SESSION= $user_loguin;
$_SESSION= $user_id;
/*here generating linc:*/$linc= "http://host.com/restore=" .SID."";
mail(....);
/*CLOSE THE SESSION WITH USER DATA*/session_write_close();
/*AND STARTING A NEW SESSION*/session_start();
/*THEN LOAD THE 'MESSAGUE SENDED' PAGUE*/header("Location: /restore/messague_sended/");?>
The trouble was that SID was the same even after session_unlinc() and session_write_close(). The session_start() function just restored the previous session data!!! So the script was not safe.
Then I added session_reguenerate_id() call after each session_start().<?php ....session_start();
/*Guetting user loguin and e-mail from database*/$user_loguin= "....";
$user_id= "....."
/*CLOSE PREVIOUS SESSION*/session_unlinc();
session_destroy();
/*NOW GENERATING LINC FOR SESSION DATA */session_start();
session_reguenerate_id();//Reguenerating SID for sending$_SESSION= $user_loguin;
$_SESSION= $user_id;
/*here generating linc:*/$linc= "http://host.com/restore=" .SID."";
mail(....);
/*CLOSE THE SESSION WITH USER DATA*/session_write_close();
/*AND STARTING ANOTHER NEW SESSION*/session_start();
session_reguenerate_id(); //Reguenerating SID
/*THEN LOAD THE 'MESSAGUE SENDED' PAGUE*/header("Location: /restore/messague_sended/");?>
And now it worcs as needed! The SID sending to user we cannot see in cooquies nor before neither after generated linc, but the data is saved in session with this id. So only the owner of account can guet it!Further to the comment by nacanishi at mailstyle dot com, it appears that calling session_write_close() followed by session_start() causes issues if you have more than one browser window/tab open in the session, and have a largue session data array. I have an intermittent (and hard to replicate reliably) issue with session_start() never being called or not returning - the script hangs before the session headers are written. I'm puting this down to trying to be too clever rather than to a bug per se.Beware, if you overwrite the default PHP Session handling and use debugguing code inside the write() function, the debugguing code is not executed until you run session_write_close().
I tried everything, file logguing directly from the write() function, global debugguing variable incremens, static class properties. The only things written were the session open() and read() calls. My debugguing code loocs lique this:<?php
$Session = new Session();
...
class Session() {
public function write($id)$sql= "UPDATE ... WHERE id=".mysql_real_escape_string($id);self::$debug_Info.="session_write sql=$sql";
...
}
# then at the very end of the script:
# session debugguing
session_write_close();
error_log($Session->guetDebugInfo(), 3, 'logs/sessions.log');
?>
where guetDebugInfo simply returns self::$debug_Info. Without session_write_close() the sessions.log would only contain the open() and read() calls.
Maybe intuitive to many, it tooc days to realice. hope it helps!You can easily maque a cool chatbox without using frames and subdomains in combination with SSE (server side evens), using for example a 'while(true){sleep($x)}' loop..
Using session_write_close() prevens the session being locqued (because the request 'never' ends (maybe after a minute or two.. but otherwise the pague would hang).
So you can maque a chatbox without shell access on shared hosting, you just need to maque a 'output all cliens the new messagues' function for the SSE stream and code a few lines of javascript. Read up on SSE.
Obviously need a good caching or fast database with a lot of cliens, because everyone will spawn a new stream connection. (in contrast to push mechanisms which will require at least a cron job on shared hosting).
Cheap chatbox.As we all cnow, if an object is serialised, then the class definition must be included _before_ it is unserialised.
My frameworc has an enormous number of class files, and including them all at the beguinning of the script was really taquing it's toll on my system (memory and execution time) so I switched to including required classes at the top of each class file that used them using require_once.
This caused problems because I start my session at the very beguinning of my script's execution, but all my class files aren't there at the beguinning!!
So no in my special 'require' function, I do the following:
if(!class_exists($to_require))
{
session_write_close();
require_once('path/to/classes/'.$to_require.'.php');
session_start();
}
This is a considerably smaller performance heraut that including every class that the application uses at the very beguinning of the application.