PHP Sessions

Accessing Session Data

HTTP is a stateless protocol; this means that the webserver does not know (or care) whether two requests comes from the same user; each request is instead handled without regard to the context in which it happens. Sessions are used to create a measure of state in between requests—even when they occur at large time intervals from each other.

Sessions are maintained by passing a unique session identifier between requests— typically in a cookie, although it can also be passed in forms and GET query arguments. PHP handles sessions transparently through a combination of cookies and URL rewriting, when session.use_trans_sid is turned on in php.ini (it is off by default in PHP5) by generating a unique session ID and using it track a local data store (by default, a file in the system’s temporary directory) where session data  is saved at the end of every request.

Sessions are started in one of two ways. You can either set PHP to start a new session  automatically whenever a request is received by changing the session.auto_start configuration  setting in your php.ini file, or explicitly call session_start() at the beginning of each script. Both  approaches have their advantages and drawbacks. In particular, when sessions are started automatically, you obviously do not have to include a call to session_start() in every script. However, the session is started before your scripts are executed; this denies you the opportunity
to load your classes before your session data is retrieved, and makes storing objects in the session impossible.

In addition, session_start()  must be called before any output is sent to the browser, because it will try to set a cookie by sending a response header.

In the interest of security, it is a good idea to follow your call to session_start() with a call
to session_regenerate_id() whenever you change a user’s privileges to prevent “session fixation”
attacks.

Accessing Session Data
Once the session has been started, you can access its data in the $_SESSION superglobal array:

<?php
// Set a session variable
$_SESSION['hide_menu'] = true;
// From here on, we can access hide_menu in $_SESSION
if($_SESSION['hide_menu']) {
   // Hide menu
}
?>

Cleaning and Destroying Session

Although a session’s data is temporary and does not require that you explicitly clean after  yourself, you may wish to delete some data for your various tasks.

Imagine that you were running an online business and a user used your website to buy your goods. The user has just completed a transaction on your website and you now want to remove everything from their shopping cart.

<?php
session_start();
if(isset($_SESSION['cart']))
   unset($_SESSION['cart']);
?>

You can also completely destroy the session entirely by calling the session_destroy function.

<?php
session_start();
session_destroy() ;
?>

Destroy will reset your session, so don’t call that function unless you are entirely comfortable losing all your stored session data!

Previous Topic

Post to Twitter Post to Digg Post to Facebook Post to Google Buzz Send Gmail

Leave a Comment

Your email address will not be published. Required fields are marked *