PHP Sessions Explained

One of the most common requirements for any web application are sessions. Sessions are used to maintain information about a user on the server instead of using a cookies. Although session ids are stored in a cookie its considered more secure because a user cannot tamper with the contents of a session. If a user were to modify their session identifier PHP would just create a new session based on the new id.

Using Sessions
For each page that requires session data session_start() must be called. This causes PHP to read the users session id and load the data into RAM. Once loaded it is accessible via the $_SESSION super global array. From their you can modify the contents of $_SESSION.

Note: session_start() cannot be called once output has started.  A warning will be displayed and its possible the session could be lost.  If you are seeing the error “Cannot send session cache limiter” check to make sure no output is going to the browser.  A common problem is an unwanted space or tab at the outsize of the PHP tags.

Once you are done with a session you can call session_close() to force the modifications to the session to be saved. This is not required as PHP will automatically do this once the script ends.

The following is a short example of using a session.

    $_SESSION["hits"] ++;
    echo "You've visited this page " . $_SESSION["hits"] . " time(s).";

Behind the Scenes
PHP makes using sessions easy, but what you don’t see is what its doing behind the scenes. The default PHP installation uses temporary files on the local disk for storing the session contents. When a session is started PHP will read the file which contains the serialized contents of $_SESSION. The data is unserialized and then placed in $_SESSION. When the session is closed, $_SESSION is serialized and stored in the temporary file.

The more unique hits you receive the more session files are created.  Allowing these files to buildup could cause problems on the web server.  It may run out of space, or you could hit the max file limit.  To prevent this from happening for each new session PHP runs a cleanup routine.  All session files that have timed out are removed from disk.

Custom Session Handlers
There is nothing to prevent you from making your own session handling system.  The PHP session handler is only provided as a convenience.  However before you “remake the wheel” you should consider overriding PHP’s session system using session_set_save_handler.  This allows you to override each of the six internal PHP session calls: open, close, read, write, destroy, and garbage collect.  Using this method you can create your own method of handling session data.

PHP’s documentation contains an example of how to use session_set_save_handler() here.

If you would like some more examples leave me a comment with what you would like to see.

3 thoughts on “PHP Sessions Explained

  1. Hi Justin,

    Great article, it explained a lot. One thing, though. I looked at my cookies in my browser and I can’t seem to find one specifically related to the session I created, although it’s working correctly. Does it always create a cookie?

  2. I have seen that the people even can import cookies at Firefox, and fake the session of other users.
    The article was written 6 years ago, but it would be great if you can explain more about it (I mean, how the cookies are stored and the files for each session).

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.