Lecture 23 - Sessions

What is a session?

session: an abstract concept to represent a series of HTTP requests and responses between a specific Web browser and server

HTTP doesn't support the notion of a session, but PHP does

  • sessions vs. cookies:
    • a cookie is data stored on the client
    • a session's data is stored on the server (only 1 session per client)
  • sessions are often built using cookies:
    • the only data the client stores is a cookie holding a unique session ID
    • on each page request, the client sends its session ID cookie, and the server uses this to find and retrieve the client's session data

How sessions are established

  • client's browser makes an initial request to the server
  • server notes client's IP address/browser, stores some local session data, and creates and sends a session ID back to client (as a cookie)
  • client sends that same session ID (cookie) back to server on future requests
  • server uses session ID cookie to retrieve its data for the client's session later (like a ticket given at a coat-check room)

Cookies vs. sessions

  • duration: sessions live on until the user logs out or closes the browser; cookies can live that long, or until a given fixed timeout (persistent)
  • data storage location:: sessions store data on the server (other than a session ID cookie); cookies store data on the user's browser
  • security: sessions are hard for malicious users to tamper with or remove; cookies are easy
  • privacy: sessions protect private information from being seen by other users of your computer; cookies do not

Sessions in PHP: session_start


          session_start();
  • session_start signifies your script wants a session with the user
    • must be called at the top of your script, before any HTML output is produced
  • What does session_start do?
    • if the server hasn't seen this user before, a new session is created
    • otherwise, existing session data is loaded into $_SESSION associative array
    • you can store data in $_SESSION and retrieve it on future pages

Accessing session data


            session_start();
            
            $_SESSION["name"] = value; # store session data
            $variable = $_SESSION["name"]; # read session data
            if (isset($_SESSION["name"])) { # check for session data
          

            session_start();
            
            if (isset($_SESSION["points"])) {
                $points = $_SESSION["points"];
                print("You've earned $points points.\n");
            } else {
                $_SESSION["points"] = 0; # default
            }
  • the $_SESSION associative array reads/stores all session data
  • use isset function to see whether a given value is in the session

Session timeout

  • previous sessions will linger unless you destroy them and regenerate the user's session ID:
  • because HTTP is stateless, it is hard for the server to know when a user has finished a session
  • ideally, user explicitly logs out, but many users don't
  • client deletes session cookies when browser closes
  • server automatically cleans up old sessions after a period of time
    • old session data consumes resources and may present a security risk
    • adjustable in PHP server settings or with session_cache_expire function
    • you can explicitly delete a session by calling session_destroy