Working With Sessions In PHP

One of the first things people want to do when they get started with development is made some type of login system. But how do you get started? The answer is learn about sessions.

What Are Sessions

Think of sessions like a type of variable that can hold its value as a user moves from page to page. These variables are able to do this because they are actually pointed to a file in your server where their values are stored (more on this below).

Sessions VS Cookies: Which To Use

Sessions and cookies are quite similar to one another, both are used to store data from a website which can be used through the page. The main difference between them is the level of visibility each one has, which is due to where they are stored.
You would use cookies to store data which you wouldn’t mind the user changed. For example who cares if a user can hack the contents of his/her shopping cart (don’t forget to always make sure your cookies have the contents you expect), but you would be in trouble if he was able to change his user id to another and thus have access to some other person’s profile.
How Sessions are Stored
Unlike cookies which are stored in the browser and are editable, readable and visible to anybody who can download a FireFox plugin, sessions are stored in a file in the server and can only be read and edited by server side scripts (PHP).
The folder/path in your server in which session files are stored is defined by a variable called "session.save_path" in your php.ini file.
If this variable is not in your file your hosting provider must have a default path. You can change the path however like this:

How To Create Sessions

The following line of code has to be present in any script file, before any output, where you are using sessions.
There is a variable called $_SESSION which is an array of all your sessions. To create a new session simply chose your key and value.
Example: loggedin.php
$_SESSION['logged_in']=true; // logged_in is the key, true is the value
The previous line of code made a session variable which you would use in your script to determine if a user is logged in or not and another one to store the username.
A session file was also created in your session save path folder, its file name is a random string of characters. Optional: If you are trying out this script go to it and check it out it’s contents to see how the session looks.

How To Read Sessions

Now you can server pages for a particular user accordingly. Session variables are read the same way $_POST and $_GET variables are.
Example: profile.php
session_start(); // remember, this line is always needed

// check if user is logged in
   // pull information from database using variable $_SESSION['username']
  // load profile page
   // load login form

How To Unset and Destroy Session

To log a user out you need to clear the session variable and destroy the session file.
Example: logout.php

$_SESSION = array(); // unset all of the session variables.

session_destroy(); // sounds pretty badass doesn't it?

Session Hijacking

Sessions are safer than cookies but a person could still gain access to another person’s session information if they know or able to guess to the session_id ( the name of the file in which the session was stored)
This is whole different issue and would require a whole different post. Am going to leave you with two posts I found online that cover session hijacking pretty thoroughly.
I also recommend that you take a look at all the session functions available Session Functions

Post a Comment