PHP session management easy made

by - posted

The PHP session management easy made article gives you the basics to understand and implement the PHP’s session mechanism.


A session, in our context, is a temporary interactive information exchange between the browser and the Web application/server. A session is stateful.

Session management encompasses the techniques to transparently authorize a user for every HTTP request without having repeatedly to login. The session management technique is used by the Web developer, because the underlying HTTP protocol is stateless.

After successful authentication, the Web application is sending the browser a session ID or token. Usually this ID is sent by the HTTP response (Set-Cookie) and is stored on the user’s computer. The session ID must then be sent by the browser along with every HTTP request to identify itself to the Web application.
After that, the Web application can determine whether the browser is authorized or not to access the page being requested.

A session ID :

  • is also called session token
  • is a unique identifier (to identify the current session)
  • is generated by the Web application
  • is sent to the browser
  • is usually stored in a cookie (on the user’s computer)
  • is sent to the Web application for authentication

Start a session

The session_start() function :

  • Initializes the session engine
  • Generates a random session ID which is stored in the session file on the Web server
  • Stores the session ID in a constant named PHPSESSID
  • Stores the session ID cookie in the (user’s) browser cache. The cookie name is PHPSESSID, while its value is the session ID
  • Initializes the $_SESSION superglobal array

The session_start() function must appear before the <html> tag.

The session ID is temporary and will be deleted after the user has left the Web site. If you need a permanent storage you may want to store the session ID in a database.

The session ID

The session ID is sent to the browser with the first response from the Web server and then sent back to the Web server with each subsequent request from the browser.
Get the session ID by simply calling session_id() . You can also set the session ID by using this function.

The session file

The session file name is sess_abcd while abcd will be the session ID.
Everybody on shared Web servers shares the same temp folder. This is usually the place where session files are stored. For security reasons, alter the destination folder for the session file in changing the php.ini directive session.save_path.

The session ID cookie

The session ID cookie is sent to the browser on its first request. On every page loaded, the session ID cookie is sent from the browser to the Web server. PHP then reads and stores the value into the $_COOKIE superglobal array.

Get the session ID : echo $_COOKIE['PHPSESSID'];

To view all cookies do : print_r($_COOKIE);

Set the php.ini directive session.use_only_cookies to On in order to store the session ID in cookies only!

The default cookie name PHPSESSID can be changed in the php.ini configuration file by using the directive.

The $_SESSION superglobal

The $_SESSION superglobal array allows you :

  • to store whatever information you wish (to use in a session )
  • to use it on all pages that begin with session_start().

If you want to welcome a user on every page you have to assign his name like :
$_SESSION['username'] = $_POST['id'];

Unset a user after a logout : unset($_SESSION['username']);

Empty the array after a logout : $_SESSION = array ();

By default, the php.ini directive session.save_handler is set to “files” which is the most commonly used session handler. In this configuration, a serialized string representation of the $_SESSION array is stored in the session file.

Destroying a session

It is a good practice to clear/empty the global arrays after destroying the session !

– Session destroy : <?php session_destroy(); ?>

– Clear/empty the global : $_SESSION = array ();

– Invalidate the cookie

Set the session name to an empty string, expire the cookie 24 hours ago, apply the cookie to the whole domain.

if (isset($_COOKIE[session_name()]))
setcookie(session_name(), ' ', time()-86400, '/');

Basic session example

Data from the first page is accessible in the second page using the session mechanism.

// first page
$_SESSION['username'] = $_POST['id']; // get the user's name (after a successful login)
echo "Hello" ." " . $_SESSION["username"] . "<br>"; // output the user's name
echo '<a href="file2.php">go to the next page</a>';

// second page
echo "Hello again" ." " . $_SESSION["username"]; // "remember" the user's name

If you enjoyed this article, you can :

– get post updates by subscribing to our e-mail list

– share on social media :

Leave a comment Cancel reply