It uses the
cherrycake_session table in the Cherrycake skeleton database to store sessions, and caches them on the provided
Session ids are generated by hashing 128 random bytes with a SHA512 algorithm, giving 128 hexits that constitute an effectively unpredictable session id to avoid session hijacking or collision.
Session id collisions are not checked because the probability of getting a collision is so low (1 in 16^128, or 1 in 1.3x10^154, a number way bigger than the estimated number of atoms in the observable universe) that it's preferable to have that security bug instead of having to perform that additional check on each newly created session.
A data storage mechanism is provided to store basic information within each session. The data is stored as a serialized array on the
data field. When requesting an update of this data, the cache is flushed so it will generate an additional database hit on the next request.
The sessions table must be maintained often in order to remove old sessions. Otherwise, a point will be reached where all possible session ids are used and the module will remove the oldest session from the database in order to make room for the new one, effectively generating stress on the database. This will most probably happen a while after the maximum entropy point has been reached and all the stars in the universe have gone extinct.
JanitorTaskSession is required to be run in order to do this maintenance work, so be sure to add it to your
See the Session guide to learn how to work with the Session module.
sessionDatabaseProviderName The name of the database provider to use for storing sessions. Default:
sessionTableName The name of the table used to store sessions. Default:
sessionCacheProviderName The name of the cache provider to use to store sessions and the counter of created sessions. Default:
sessionCacheTtl The TTL of cached sessions, one of the available
cachePrefix The cache prefix to use when storing sessions into cache. Default:
cookieName The name of the cookie. Recommended to be changed. Defaut:
cookiePath The path of the cookie. If set to "/", it will be available within the entire domain. Default:
cookieSecure If set to true, the cookie will only be sent when the current request is secure (SSL). Default:
cookieHttpOnly If set to true, the cookie only will be sent when an HTTP request is made. Default:
sessionDuration The duration of the session in seconds. If set to zero, the session will last until the browser is closed. Default:
2592000 (one month)
isSessionRenew When set to true, the duration of the session will be renewed to a new
sessionDuration every time a request is made. If set to false, the cookie will expire after
sessionDuration, no matter how many times the session is requested. Default: