PHP Session

Summary: in this tutorial, you will learn how to work with PHP session to preserve the state of the web application across pages during a session.

How PHP session works

Sessions allow you to store data on the web server that associated with a session ID. Once you create a session, PHP sends a cookie that contains the session ID to the web browser. In the subsequent requests, the web browser sends the session ID cookie back to the web server so that PHP can retrieve the data based on the session ID and make the data available in your script.

Where PHP stores session data

By default, PHP stores session data in temporary files on the web server. You can find the location of the temporary files using directive session.save_path in PHP configuration file. If you want to see it in your script, you can use the ini_get() function as follows:

Another way to get the session data file location is using the  session_save_path() function:

Typically, the session data is stored in the /tmp folder of the web server.

How to create a session

To create a session, you use the  session_start() function as follows:

The first time you call the  session_start() in your script, PHP generates a unique session ID and sends it to the web browser in form of a cookie named PHPSESSID. If the session already exists, PHP checks the PHPSESSID cookie sent by the browser, the  session_start() function will use existing session.

It is important to notice that PHP must send the PHPSESSID cookie in the HTTP header, therefore, you must call the  session_start() function before any statement that outputs content to the web browser. Otherwise, you will get a warning message saying that you cannot modify the header because it is already sent.

How to access data in the session

Unlike a cookie, you can store any types of data in sessions. You store data as keys and values in the $SESSION[] superglobal array. For example, in the  index.php file, you store user string and roles array in the session as follows:

In the  profile.php file, you can access session data as follows:

In the index.php file, you see that we use  session_write_close() function after we write data into $_SESSION array. The  session_write_close() function forces data in the  $_SESSION array to be saved to the session data file on the web server and release the lock of the session data file.

Normally, PHP does this automatically when the script ends. However, it is good practice to call the session_write_close() function whenever you no longer write data into the $_SESSION[] array. The reason is when you use file based session, each request locks the file until it is terminated. In the subsequent request, the script needs to wait for the lock to be released in order to access the session data again. The lock is used for preventing session data corruption. However, for the script that “sleeps” a lot, the script has to wait for too long. The session_write_close() function helps release the lock earlier and enables the next script to continue without waiting for the lock to be released.

How to destroy a session

Whenever user closes the browser, PHP automatically deletes the session because PHPSESSID cookies’ expires field is set to zero. However, in some situations, you do want to destroy a session e.g., when users click the logout link. To destroy a session, you use the session_destroy() function.

This  session_destroy() destroys all data that associates with the current session. However, it does not unset data in the  $_SESSION array and cookie.

To completely destroy the session data, unset the variable in  $_SESSION array and remove PHPSESSID cookie, you use the following code snippet:

Notice that we used the session_name() to get the cookie name instead of using the PHPSESSID. This is because PHP allows you to work with multiple sessions with different names on the same script.

A simple login system

We will use what we have introduced you to develop a simple login system. You can try it yourself and analyze how it works.

In this tutorial, you have learned how to use PHP session to preserve states of the web application across pages within a session.

  • Was this tutorial helpful ?
  • YesNo