Knowledge Base

Using PHP sessions

This article describes what PHP sessions are, and how to implement them in your PHP applications.

About PHP sessions

HTTP is a stateless protocol. In other words, a web site does not maintain any information about a visitor from one page visit to the next. This is a problem if you want to keep track of individual visitors as they navigate through a web site. For example, a shopping cart or online banking application is a common scenario where this functionality is necessary.

PHP sessions work around the stateless limitations of HTTP, and enable you to store data associated with each visitor to your web site. With just a few lines of code, your web site can maintain data about visitors as they navigate your site.

Starting a session

When you start a session, the web server generates a session identifier that uniquely identifies the visitor. By default, session data is stored in the server's /tmp directory in files that are named sess_ followed by a unique alphanumeric string (the session identifier).

To start a session, use the session_start() function. Because the session_start() function sends information in the HTTP headers, though, you must call this function before the page generates any content. The following sample code demonstrates how to do this:

<?php
    session_start();
?>

<html>
    <head>
        <title>Test page</title>
    </head>
    <body>
        <p>Hello</p>
    </body>
</html>

By itself, the session_start() function doesn't add much functionality to a web page. You need to use session variables to really tap into the potential of PHP sessions.

For more information about the session_start() function, please visit http://www.php.net/manual/en/function.session-start.php.

Working with session variables

The $_SESSION associative array allows you to store session data in variables. For example, suppose you want to implement a very simple hit counter for a page. You can't do this with a generic HTML page. With PHP sessions, though, it's easy. The following code sample demonstrates one way to do this:

<?php
    session_start();
    $_SESSION['hits']++;
?>

<html>
    <head>
        <title>Simple page hit counter</title>
    </head>
    <body>
        <p>You have visited this page <?php print $_SESSION['hits'] ?> times.</p>
    </body>
</html>

In this example, we define a variable named hits that is stored in the $_SESSION array. Each time the page is loaded, the hits value increases by one.

It is easy to add additional variables to the $_SESSION array. All you have to do is reference the variable name you want to use, and PHP takes care of the rest, tracking its value across multiple HTTP connections.

For more information about the $_SESSION array, please visit http://www.php.net/manual/en/reserved.variables.session.php.

Ending a session

To end a session, use the session_destroy() function. This function deletes all server-side data for the current session.

For example, adding the session_destroy() function to our page counter sample code above wouldn't make much sense, because the value of the hits variable would be destroyed every time the page is loaded. (The page would always display “You have visited this page 1 times” no matter how many times you load it.)

On the other hand, suppose your site has a shopping cart application. A user adds products to the cart on one page, fills out the order information on another page, and finally checks out. After the user checks out and completes the purchase, you probably want to empty the cart and reset the session variables. The session_destroy() function enables you to do this.

For more information about the session_destroy() function, please visit http://www.php.net/manual/en/function.session-destroy.php.

Session settings in php.ini

There are numerous settings available in the php.ini file that enable you to configure how sessions function on your web site. For example, the session.cookie_lifetime setting enables you to control how long a session cookie remains valid, and the session.auto_start setting enables you to start sessions automatically instead of calling the session_start() function explicitly. Another important option is the session.save_path setting, which enables you to specify where PHP stores session files (by default, they are stored in the server's /tmp directory, but you may prefer to store them somewhere in your own directory instead).

For detailed information about all of the session settings available in the php.ini file, please visit http://www.php.net/manual/en/session.configuration.php.

Session security

There are several security considerations you should keep in mind when working with PHP sessions. For example, you must protect against possible session hijacking and fixation attacks.

For more information about PHP session security, please visit http://www.php.net/manual/en/session.security.php.

More Information

To view the official PHP documentation about sessions, please visit http://www.php.net/manual/en/book.session.php.