What is a Session?

Session: An abstract concept to represent a series of HTTP requests and responses exchanged between a
specific Web browser and a specific Web server. Session concept is very useful for Web based
applications to pass and share information from one Web page (request) to another Web page (request).

Since the current design of HTTP protocol does not support session concept, all Web server side
scripting technologies, including PHP, have designed their own way to support session concept. The key
design element of session support is about how to identify a session and how to maintain the session ID
(identification). One common way to maintain the session ID is use the cookie technology. The
following diagram shows you how to do this:

Server Browser
ID created | <-- Request #1 --- |
| --- Response #1 --> | ID kept as cookie
| <-- Request #2 --- | ID send back to server
| --- Response #2 --> |
| <-- Request #3 --- | ID send back to server
| --- Response #3 --> |
| ...... |

The session concept should be managed by the server. When the first request comes from a browser on a
client host, the server should create a new session, and assigns a new session ID. The session ID will be
then send back to the same browser as a cookie. The browser will remember this ID, and send the ID
back to the server in the subsequent requests. When the server receives a request with a session ID in
them, it knows this is a continuation of an existing session.

When the server receives a request from a browser on a new client host (request without a session ID),
the server should not only create a new session ID, it should also create a new session object associated
with the new session ID. This session object should become the storage place for different requests of
the same session to store and share information.

If there is no subsequent request coming back for a long time for a particular session ID, that
session should be timed out. After the session has been timed out, if the browser comes back again
with the associated session ID, the server should give an invalid session error.

PHP's Session Support

Like JavsServer Page (JSP), PHP manages the session ID with as a cookie, a GET variable, or a POST
variable. It offer a built-in array as the session object, and a number of built-in functions to allow the
PHP script to interact with the session:

$_SESSION - A built-in array to store and share variables for the session.
session_start() - A built-in function to create a new session or resume an existing session based
on the current session id that's being passed via a request, such as GET, POST, or a cookie.
session_name() - A built-in function to set and get the session name.
session_id() - A built-in function to set and get the session ID.
 session_destroy() - A built-in function to destroy all variables stored in $_SESSION.

Session Test Scripts - SessionPageN.php

To help testing the session concept, I wrote 3 PHP scripts.

SessionPage1.php:

<?php # SessionPage1.php
# Copyright (c) 2002 by Dr. Herong Yang, http://www.herongyang.com/
#
session_start();
$quantity = 3;
$_SESSION['quantity'] = $quantity;
if (isset($_SESSION['count'])) {
$count = $_SESSION['count'];
} else {
$count = 0;
}
$count++;
$_SESSION['count'] = $count;
#
print "<pre>\n";
print "\nI am buying $quantity PHP books.\n";

print "\n<a href=SessionPage2.php>Next</a>\n";

print "\nCounter = $count\n";
print "Session name = ".session_name()."\n";
print "Session id = ".session_id()."\n";
#
print "\nContents of \$_GET:\n";
foreach ($_GET as $k => $v) {
print " $k = $v\n";
}
#
print "\nContents of \$_POST:\n";
foreach ($_POST as $k => $v) {
print " $k = $v\n";
}
#
print "\nContents of \$_COOKIE:\n";
foreach ($_COOKIE as $k => $v) {
print " $k = $v\n";
}
print "</pre>\n";
?>

SessionPage2.php:

<?php # SessionPage2.php
# Copyright (c) 2002 by Dr. Herong Yang
#
 session_start();
$quantity = $_SESSION['quantity'];
$price = 9.99;
$_SESSION['price'] = $price;
$count = $_SESSION['count'];
$count++;
$_SESSION['count'] = $count;
#
print "<pre>\n";
print "\nI am buying $quantity PHP books.\n";
print "The unit price is $price per book.\n";
#
print "\n<a href=SessionPage3.php>Next</a> ";
print " <a href=SessionPage1.php>Prev</a>\n";
print "\nCounter = $count\n";
print "Session name = ".session_name()."\n";
print "Session id = ".session_id()."\n";
#
print "\nContents of \$_GET:\n";
foreach ($_GET as $k => $v) {
print " $k = $v\n";
}
#
print "\nContents of \$_POST:\n";
foreach ($_POST as $k => $v) {
print " $k = $v\n";
}
#
print "\nContents of \$_COOKIE:\n";
foreach ($_COOKIE as $k => $v) {
print " $k = $v\n";
}
print "</pre>\n";
?>

SessionPage3.php:

<?php # SessionPage3.php
# Copyright (c) 2002 by Dr. Herong Yang
#
session_start();
$quantity = $_SESSION['quantity'];
$price = $_SESSION['price'];
$total = $quantity * $price;
$count = $_SESSION['count'];
$count++;
$_SESSION['count'] = $count;
#
print "<pre>\n";
print "\nI am buying $quantity PHP books.\n";
print "The unit price is $price per book.\n";
print "The total price is $total.\n";
#
print "\n<a href=SessionPage2.php>Prev</a>\n";
print "\nCounter = $count\n";
print "Session name = ".session_name()."\n";
 print "Session id = ".session_id()."\n";
#
print "\nContents of \$_GET:\n";
foreach ($_GET as $k => $v) {
print " $k = $v\n";
}
#
print "\nContents of \$_POST:\n";
foreach ($_POST as $k => $v) {
print " $k = $v\n";
}
#
print "\nContents of \$_COOKIE:\n";
foreach ($_COOKIE as $k => $v) {
print " $k = $v\n";
}
print "</pre>\n";
?>

If you run http://localhost/SessionPage1.php, you will get:

I am buying 3 PHP books.

Next

Counter = 1
Session name = PHPSESSID
Session id = o9oipjgc4r3fqmfk8mlldl5sl5

Contents of $_GET:

Contents of $_POST:

Contents of $_COOKIE:

If click "Next" on the first page, you will be running http://localhost/SessionPage2.php, and you will get:

I am buying 3 PHP books.

The unit price is 9.99 per book.

Next Prev

Counter = 2
Session name = PHPSESSID
Session id = o9oipjgc4r3fqmfk8mlldl5sl5

Contents of $_GET:

Contents of $_POST:

Contents of $_COOKIE:
PHPSESSID = o9oipjgc4r3fqmfk8mlldl5sl5

If click "Next" on the second page, you will be running http://localhost/SessionPage3.php, and you will
get:
I am buying 3 PHP books.
The unit price is 9.99 per book.
The total price is 29.97.

Prev

Counter = 3
Session name = PHPSESSID
Session id = o9oipjgc4r3fqmfk8mlldl5sl5

Contents of $_GET:

Contents of $_POST:

Contents of $_COOKIE:
PHPSESSID = o9oipjgc4r3fqmfk8mlldl5sl5

As you can see, the session concept is working. Several points should be noted here:

Data can be stored into the session in one page, and retrieve it in another page. For
example, the quantity is stored into the session in the first page, and retrieved in the second
and third page.
The session name is a string defined in the php.ini file.
The session ID is created by PHP, and managed as a cookie.
You can use the session object to manage a count of pages visited in a particular session. But you
can not use the session object to manage a count of pages visited in all sessions. To manage
information across versions, you need something called application object provided in Active
Server Page (ASP).

Managing Session ID without Cookie

PHP can also manage session IDs without using the cookie technology. To do this, we need to modify
\php\php.ini to stop using cookie and start transparent session id:

session.use_cookies = 0
session.use_trans_sid = 1

Now if you re-run http://localhost/SessionPage1.php, you will get:

I am buying 3 PHP books.

Next

Counter = 1
Session name = PHPSESSID
Session id = mg04r204ctuloo2uegmih14ri5
Session module = files

Contents of $_GET:
Contents of $_POST:

Contents of $_COOKIE:

If click "Next" on the first page, you will be running http://localhost/SessionPage2.php, and you will get:

I am buying 3 PHP books.

The unit price is 9.99 per book.

Next Prev

Counter = 2
Session name = PHPSESSID
Session id = mg04r204ctuloo2uegmih14ri5

Contents of $_GET:
PHPSESSID = mg04r204ctuloo2uegmih14ri5

Contents of $_POST:

Contents of $_COOKIE:

If click "Next" on the second page, you will be running http://localhost/SessionPage3.php, and you will
get:

I am buying 3 PHP books.

The unit price is 9.99 per book.
The total price is 29.97.

Prev

Counter = 3
Session name = PHPSESSID
Session id = mg04r204ctuloo2uegmih14ri5

Contents of $_GET:
PHPSESSID = mg04r204ctuloo2uegmih14ri5

Contents of $_POST:

Contents of $_COOKIE:

A couple of interesting things happened here:

If you ask PHP to use transparent session ID management, it will modify all the links to include
the session ID as part of the URL. See the source of the first page in the browser, you will see the
ULR of "Next" button as href=SessionPage2.php?PHPSESSID=mg04r204ctuloo2uegmih14ri5.
The outputs show that now the session ID is stored in $_GET.
Since the session ID in the URL field of the browser, everyone can see it. Not so secure.

Where Is Session Data Stored?

Question, where does PHP store the session data? The answer is not so obvious.

Since I am running PHP in CGI mode, PHP pages are running with individual instances of PHP
executables. So there is no easy to store session data in memory and share it between PHP pages. If not
stored in memory, the session data can be stored on hard disk and share it between PHP pages. Let's see
if we can find where the session data is stored on the hard disk.

First run http://localhost/SessionPage1.php again:

I am buying 3 PHP books.

Next

Counter = 1
Session name = PHPSESSID
Session id = mg04r204ctuloo2uegmih14ri5
Session module = files

Contents of $_GET:

Contents of $_POST:

Contents of $_COOKIE:

Then use Windows find tool to search for file names with "mg04r204ctuloo2uegmih14ri5". No surprise,
you will get \windows\temp\sess_mg04r204ctuloo2uegmih14ri5. Open this file in a text editor, you will
see:

quantity|i:3;count|i:1;

The file format is so simple, session data is stored as clear text, with ";" as delimiters. If you want to
change where the data is stored, you can modify \php\php.ini with:

session.save_path = "/tmp"

Conclusion

PHP can manage session IDs in two ways: as a cookie and as GET variable.
Managing sessions with cookies is much secure.
Session data is stored on hard disk permanently.
You must call session_start() at the beginning of the PHP script.
Session data is shared in an array called $_SESSION.