Session Management in PHP-part 1

A session is a way to identify and manage the state-the session variables — for a particular user. When a user sends an HTTP request, the middle tier must process the current request in the context of the user’s session. When a session is started, the client is given a session identifier — often a cookie-that is included with subsequent requests to the server. The server uses the session identifier to locate the corresponding session before processing the request.

Rather than storing all the variables needed to maintain state and include them with each request, the browser stores a single session identifier that finds and initializes the variables stored on the server.

Storing session variables in the middle tier is that data needs to be stored for each session. The user logs out of an application, and the logout script ends the session. Sessions consume resources on the server, and dormant sessions may present a security risk. So, the server needs to clean up old sessions that have not been used for a period of time. How long the timeout should be depends on the needs of the application.

While working with the session we must-have to take care of following three things:

  • Information or state must be stored. For example, a students note or instructors feedback, a students name, or id number must be maintained across multiple HTTP requests.
  • Each HTTP request must carry an identifier that allows the server to process the request in the context of the stored state. For example, when any quiz test is submitted, it must be processed with the correct score to display quiz result details.
  • Sessions need to have a timeout . Otherwise, if a user leaves the web site, there is no way the server can tell when the session should end.

When a user first enters the session-based application by making a request to a page that starts a session, PHP generates a session ID and creates a file that stores the session-related variables. PHP sets a cookie to hold the session ID in the response the script generates. The browser then records the cookie and includes it in subsequent requests.

PHP provides a session_start( ) function that creates a new session and subsequently identifies and establishes an existing one. Either way, a call to the session_start( ) function initializes a session. Before you can begin storing user information in your PHP session, you must first start the session. When you start a session, it must be at the very beginning of your code, before any HTML or text is sent.

session_start(); // start up your PHP session!

This code will register the user’s session with the server, allow you to start saving user information and assign a UID (unique identification number) for that user’s session.code, before any HTML or text is sent.

Storing a session variable:

When you want to store user data in a session use the $_SESSION associative array. This is where you both store and retrieve session data. In previous versions of PHP there were other ways to perform this store operation, but it has been updated and this is the correct way to do it.



$_SESSION[‘views’] = 1; // store session data

echo “Pageviews = “. $_SESSION[‘views’]; //retrieve data


Output is:

Pageviews = 1

n this example we learned how to store a variable to the session associative array $_SESSION and also how to retrieve data from that same array.

Cleaning session:

After any user completed his/her work in your site like a student complete review and give feedback and left the site, then you want to remove everything from their session variable(like cleanup userid and name for security purpose) you can use following code:






Destroy session:

You can also completely destroy the session entirely by calling the session_destroy function.

A session must be initialized before the session_destroy( ) call can be made. You should also test to see if $PHPSESSID is a set variable before killing the session. This prevents the code from creating a session, then immediately destroying it if the script is called without identifying a session. However, if the user has previously held a session cookie, PHP initializes the $PHPSESSID variable, and the code redundantly creates and destroys a session. You can use following code:

  // Only attempt to end the session if there
  // is a $PHPSESSID set by the request.
  if(isset($PHPSESSID)) {
    $message = "<p>End of session ($PHPSESSID).";
    session_start(  );
    session_destroy(  );
  } else {
    $message = "<p>There was no session to destroy!";
   "-//W3C//DTD HTML 4.0 Transitional//EN"
   "" >

One Response

  1. I found your blog on google and read a few of your other posts. I just added you to my Google News Reader. Keep up the good work. Look forward to reading more from you in the future.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: