Using Sessions in PHP
By: Andi, Stig and Derick in PHP Tutorials on 2008-11-23
A PHP session allows an application to store information for the current "session," which can be defined as one user being logged in to your application. A session is identified by a unique session ID. PHP creates a session ID that is an MD5 hash of the remote IP address, the current time, and some extra randomness represented in a hexadecimal string. This session ID can be passed in a cookie or added to all URLs to navigate your application. For security reasons, it's better to force the user to have cookies enabled than to pass the session ID on the URL (which normally can be done manually by adding ?PHP_SESSID=<session_id>, or by turning on session.use_trans_sid in php.ini) where it might end up in web server's logs as a HTTP_REFERER or be found by some evil person monitoring your traffic. That evil person can still see the session cookie data, of course, so you might want to use an SSL-enabled server to be really safe. But, to continue discussing sessions, we"re going to rewrite the previous cookie example using sessions. We create a file called session.inc that sets some session values, as shown in the following example, and include this file at the beginning of any script that is part of the session:
<?php
ini_set('session.use_cookies', 1);
ini_set('session.use_only_cookies', 1);
session_start();
?>
On the first line, the configuration parameter 'session.use_cookies' is set to 1, which means that cookies will be used for propagation of the session ID. On the second line, 'session.use_only_cookies' is set to 1, which means that a session ID passed in the URL to the script will be discarded. The second setting requires that users have cookies enabled to use sessions. If you cannot rely on people having cookies enabled, you can either remove this line, or you can change the value to 0, which ensures that there is no global setting for this configuration parameter in php.ini or another place.
Tip:
You can configure the place where PHP will store session files with the session.save_path configuration setting.
The session_start() function must come after any session-related settings are done with ini_set(). Session_start() initializes the session module, setting some headers (such as the session ID cookie and some caching-prevention headers), requiring its placement before any output has been sent to the browser. If no session ID is available at the time, session_start() is called, a new session ID is created, and the session is initialized with an empty $_SESSION array. Adding elements to the $_SESSION array is easy, as shown in the following example. This modified version of our login page shows the changed lines in bold:
<?php include 'session.inc'; function check_auth() { return 4; } ?> <html> <head><title>Login</title></head> <body> <?php if (isset ($_POST['login']) && ($_POST['login'] == 'Log in') && ($uid = check_auth($_POST['email'], $_POST['password']))) { /* User successfully logged in, setting cookie */ $_SESSION['uid'] = $uid; header('Location: http://kossu/session/index.php'); } else { ?> /* HTML form comes here */ <?php } ?> </body> </html>
Tip:
You can call session_name('NAME') before calling session_start() in your script to change the default PHP_SESSID name of the session ID cookie.
We first include our session.inc file. Adding the session variable 'uid' to the session is done easily by setting the uid element of the $_SESSION superglobal to the value of $uid. Unsetting a session variable can be done with unset($_SESSION['uid']).
Tip:
If you need to process a lot of data after modifying your session variables, you might want to call session_write_close(), which is normally done automatically at the end of the script. This writes the session file to disk and unlocks the file from the operating system so that other scripts may use the session file. (You will notice that pages in a frame set might load serially if they use frames because the session file is locked by PHP.)
Tip:
The locking described here will not always work on NFS, so scripts in a frame set might still get the old non-updated session data. Avoid using NFS to store session files.
Logging out is the same as destroying the session and its associated data, as we see in the logout script:
<?php
session_start();
$_SESSION = array();
session_destroy();
header('Location: https://java-samples.com/session/login.php');
?>
We still need to initialize the session with session_start(), after which we can clear the session by setting the $_SESSION superglobal to an empty array. Then, we destroy the session and its associated data by calling session_destroy().
Session variables are accessed from the $_SESSION superglobal. Each element contains a session variable, using the session-variable name as key. In our index.php script, we moved the if statement that checks whether a user is logged in to a special function that we place in the session.inc file:
function check_login() {
if (!isset ($_SESSION['uid']) || !$_SESSION['uid']) {
/* If no UID is in the cookie, we redirect to the login page */
header('Location: https://java-samples.com/session/login.php');
} }
In this function, we check whether the 'uid' session variable exists and whether the value of the 'uid' session variable is not 0. If one of the checks fail, we redirect users to the login page; otherwise, we do nothing and let the calling script handle it from there. We call the check_login() function on every page where we require a user to be logged in. We need to make sure the session.inc file is included before any output is produced because it may need to send headers to the browser. Here is a snippet from the modified index.php script:
<?php
include 'session.inc';
check_login();
?>
<html>
<!-- rest of HTML follows here -->
Using sessions can be as simple as what's shown here. Or, you can tweak some more parameters. Check out the php.ini-dist file that accompanies the PHP distributions.
Add Comment
This policy contains information about your privacy. By posting, you are declaring that you understand this policy:
- Your name, rating, website address, town, country, state and comment will be publicly displayed if entered.
- Aside from the data entered into these form fields, other stored data about your comment will include:
- Your IP address (not displayed)
- The time/date of your submission (displayed)
- Your email address will not be shared. It is collected for only two reasons:
- Administrative purposes, should a need to contact you arise.
- To inform you of new comments, should you subscribe to receive notifications.
- A cookie may be set on your computer. This is used to remember your inputs. It will expire by itself.
This policy is subject to change at any time and without notice.
These terms and conditions contain rules about posting comments. By submitting a comment, you are declaring that you agree with these rules:
- Although the administrator will attempt to moderate comments, it is impossible for every comment to have been moderated at any given time.
- You acknowledge that all comments express the views and opinions of the original author and not those of the administrator.
- You agree not to post any material which is knowingly false, obscene, hateful, threatening, harassing or invasive of a person's privacy.
- The administrator has the right to edit, move or remove any comment for any reason and without notice.
Failure to comply with these rules may result in being banned from submitting further comments.
These terms and conditions are subject to change at any time and without notice.
- Data Science
- Android
- React Native
- AJAX
- ASP.net
- C
- C++
- C#
- Cocoa
- Cloud Computing
- HTML5
- Java
- Javascript
- JSF
- JSP
- J2ME
- Java Beans
- EJB
- JDBC
- Linux
- Mac OS X
- iPhone
- MySQL
- Office 365
- Perl
- PHP
- Python
- Ruby
- VB.net
- Hibernate
- Struts
- SAP
- Trends
- Tech Reviews
- WebServices
- XML
- Certification
- Interview
categories
Related Tutorials
Send push notifications using Expo tokens in PHP
PHP convert string to lower case
A Basic Example using PHP in AWS (Amazon Web Services)
Different versions of PHP - History and evolution of PHP
PHP code to write to a CSV file for Microsoft Applications
PHP code to write to a CSV file from MySQL query
PHP code to import from CSV file to MySQL
Password must include both numeric and alphabetic characters - Magento
Resume or Pause File Uploads in PHP
PHP file upload prompts authentication for anonymous users
PHP file upload with IIS on windows XP/2000 etc
Comments