What is a session?
session: an abstract concept to represent a series of HTTP requests and responses between a specific Web browser and server
HTTP doesn't support the notion of a session, but PHP does
- sessions vs. cookies:
- a cookie is data stored on the client
- a session's data is stored on the server (only 1 session per client)
- sessions are often built using cookies:
- the only data the client stores is a cookie holding a unique session ID
- on each page request, the client sends its session ID cookie, and the server uses this to find and retrieve the client's session data
How sessions are established
- client's browser makes an initial request to the server
- server notes client's IP address/browser, stores some local session data, and creates and sends a session ID back to client (as a cookie)
- client sends that same session ID (cookie) back to server on future requests
- server uses session ID cookie to retrieve its data for the client's session later (like a ticket given at a coat-check room)
Cookies vs. sessions
- duration: sessions live on until the user logs out or closes the browser; cookies can live that long, or until a given fixed timeout (persistent)
- data storage location:: sessions store data on the server (other than a session ID cookie); cookies store data on the user's browser
- security: sessions are hard for malicious users to tamper with or remove; cookies are easy
- privacy: sessions protect private information from being seen by other users of your computer; cookies do not
session_start();
session_start
signifies your script wants a session with the user
- must be called at the top of your script, before any HTML output is produced
- What does
session_start
do?
- if the server hasn't seen this user before, a new session is created
- otherwise, existing session data is loaded into
$_SESSION
associative array
- you can store data in
$_SESSION
and retrieve it on future pages
Accessing session data
session_start();
$_SESSION["name"] = value; # store session data
$variable = $_SESSION["name"]; # read session data
if (isset($_SESSION["name"])) { # check for session data
session_start();
if (isset($_SESSION["points"])) {
$points = $_SESSION["points"];
print("You've earned $points points.\n");
} else {
$_SESSION["points"] = 0; # default
}
- the $_SESSION associative array reads/stores all session data
- use isset function to see whether a given value is in the session
Session timeout
- previous sessions will linger unless you destroy them and regenerate the user's session ID:
- because HTTP is stateless, it is hard for the server to know when a user has finished a session
- ideally, user explicitly logs out, but many users don't
- client deletes session cookies when browser closes
- server automatically cleans up old sessions after a period of time
- old session data consumes resources and may present a security risk
- adjustable in PHP server settings or with session_cache_expire function
- you can explicitly delete a session by calling session_destroy