Main Content

What is all this SESSION stuff about? (PHP)

Archive - Originally posted on "The Horse's Mouth" - 2010-04-25 07:33:09 - Graham Ellis

If you're booking an airline flight online, you'll be taken through a series of screens to select route, dates, times, passengers, seats, then to enter payment details, and perhaps visa / government information too. It would be impractical to do the whole job on a single page, as you need the intermediate feedback.

How does the booking web site achieve this multi-step process for you, keeping your data from page to page - sometimes for quite a few minutes while you check with the family / work out if you can get the dog to the kennels and still catch the 11:15 flight - and not get you confused with the hundreds of other customers on the same web site at the same time?

This separation of individual users, overlaying a web based / http system which is a "stateless" structure, is commonly achieved using Cookies

• When you arrive at a site, you do NOT have a cookie for that site.

• When the site sends out its first (program) response to you, it includes a cookie in the headers. This is something like "userid=xxyyzp" where the server / site has produced a unique string for the value - xxyyzp in my example. The next user arriving may get "userid=xxyyzq" and so on.

• On each subsequent request to the site, your browser will automatically include the cookie in it headers, and the web site's programs will then identify which particular visitor it is who's returning.

Of course, the string "xxyyzp" doesn't include all the vital data such as a note of where you want to fly to, and on what day, which you enter early on your visit to the site - information which is needed much later in the booking process too - so the server will be programmed to save all these various values to a file (either a regular file, or a record within a database - both schemes work well) at the end of each page, and will read them back in at the start of processing the next page. Sometimes you'll hear this file referred to as you session, at other times as your shopping cart.

From yesterday's PHP course, I have uploaded the source code of an example I wrote [here] which shows how cookies are used to create session files. In the example, we are only saving one piece of data in the file (the number of previous visits), as it's just an illustration of principle.

Sessions of this sort are a VERY common requirement in PHP applications, and my example above needs to be enhanced to deal with issues such as cleaning up completed (expired) sessions, and keeping the session files in another place so that they can't be accessed directly. So PHP has, built in, some special session handling facilities, and a superglobal array called $_SESSION to automate the process for you. There's a complete source code example - the equivalent of the example above - [here]. You'll note that it's much shorter!

When you call session_start, PHP reads in any existing session into the $_SESSION superglobal, or initializes a new session and sends out a cookie (by default called PHPSESSID) to a new arrival. At the end of your script, $_SESSION is automatically saved (disc or database) so that anything it contains is available to you as soon as you have done your session_srat on the next page.

The PHP session functions also tidy up old sessions, send out cookies which expire after a certain time, etc ... i.e. they do all the bookkeeping for you. So my second code sample was shorter ... and also more secure and complete.