A session is a way to store information (in variables) to be used across multiple pages. Unlike a cookie, the information is not stored on the users computer. The most fundamental way to explain what a sessions is like is to imagine the following scenario: You are working with an application. You open it, make some changes, and then you close it.
That is a session in it’s simplest form.
Session variables solve this problem by storing user information to be used across multiple pages (e.g. username, favorite color, etc). By default, session variables last until the user closes the browser.
How to use Sessions
A session is started with the session_start() function.
Session variables are set with the PHP global variable: $_SESSION.
<?php // Start the session session_start(); ?> <!DOCTYPE html> <html> <body> <?php // Set session variables $_SESSION["color"] = "red"; $_SESSION["animal"] = "dog"; echo "Session variables are set."; ?> </body> </html>
session_start() starts the session between the user and the server, and allows values stored in $_SESSION to be accessible in other scripts later on.
In your second file, you call session_start() again which this time continues the session, and you can then retrieve values from $_SESSION.
<?php session_start(); ?> <!DOCTYPE html> <html> <body> <?php // Echo session variables that were set on previous page echo "Your favorite color is " . $_SESSION["color"] . ".<br>"; echo "Your favorite animal is " . $_SESSION["animal"] . "."; ?> </body> </html>
Most sessions set a user-key on the user’s computer that looks like this: 125454fdf4513dffdf1354defres. Then, when a session is opened on another page, it scans the computer for a user-key. If there is a match, it accesses that session, if not, it starts a new session.
Another way to show all the session variable values for a user session is to run the following code:
<?php session_start(); ?> <!DOCTYPE html> <html> <body> <?php print_r($_SESSION); ?> </body> </html>
You can modify a PHP Session Variable
<?php session_start(); ?> <!DOCTYPE html> <html> <body> <?php // change a session variable $_SESSION["color"] = "Blue"; print_r($_SESSION); ?> </body> </html>
Ending a Session
Very important is to end session. Even though a session is only a temporary way to store data, it should be clean up after usage to ensure maximum security. To remove all global session variables and destroy the session, use session_unset() and session_destroy():
<?php session_start(); ?> <!DOCTYPE html> <html> <body> <?php // remove all session variables session_unset(); // delete the username value unset($_SESSION["username"]);
// destroy the session session_destroy(); ?> </body> </html>
Session Time-Outs
Timing-out sessions is a very important action if you are dealing with users logged in to your website or application. If a user logs in to your site and then leaves without logging out, session time-out function can help prevent unnecessary access to old user. The code ensures that if there is no activity for more than 60 seconds (1 minute) the request is redirected to the logout page which would successfully log out the user.
<?php
session_start();
// set time-out period (seconds)
$inactive = 60;
// check if $_SESSION["timeout"] is set
if(isset($_SESSION["timeout"]))
{
// calculate the session's time out
$sessionTTL = time() - $_SESSION["timeout"];
if($sessionTTL > $inactive)
{
session_destroy();
header("Location: /logout.php");
}
}
$_SESSION["timeout"] = time();
Regenerate the Session ID
The session_regenerate_id() function creates a new unique-ID for to represent the current user’s session. Giving the sessions a new ID after such actions make your application more secure by reducing the risk of a specific attack known as “Session Hijacking.”
<?php
session_start();
if ($POST["username"] == "admin" && &_POST["password"] == sha1("password"))
{
$_SESSION["authorized"] = true;
session_regenerate_id();
}
This should be regenerated time any important authentication action is performed, such as logging in or updating user profile data.
Summary
The computer knows who you are. It knows when you start the application and when you end. But on the internet there is one problem: the web server does not know who you are or what you do, because the HTTP address doesn’t maintain state.
Session variables solve this problem by storing user information to be used across multiple pages (e.g. username, favorite color, etc). By default, session variables last until the user closes the browser.
For more information on sessions and session security, please check out these web pages:
