PHP Sessions

Why you’ll use session?

From the PHP cookie lesson, you learnt that after web server sends back the file the browser asked for, the transaction completes and both web browser and web server forget about that. Like cookie, session is used to keep track of what a visitor is doing, which pages he is browsing, which items he is selecting in the cart etc.


How session works

  1. When a visitor wants to visit a php page, the web browser requests that page to the web server.
  2. The web server checks if the request includes a session ID. If it doesn’t, the web server starts a new session and assigns it a unique id (a long random hexadecimal number). Web server also creates a session file on the server with that session id as the name of the file. At this stage, information about the visitor can be saved in the session file. At last, the web server sends back the requested php page including this session id to the browser as cookie.
  3. The web browser saves this session id in the client’s system. From the next time, the browser requests a page to that web server, it includes the session id.
  4. After getting a request from the browser, the web server checks if it includes a session id. This time it does, and the web server finds and accesses the session file using that session id. The information inside the session file can be accessed across different pages as long the session last. Thus, session keeps track of a visitor.


Why you’ll use session over cookie

Session is more secured than cookie: When using session, visitor’s data are stored in the server on the other hand, when using in cookie, data are stored in the visitor’s system.

Session is a sure process: If visitor turns off the cookies, there is no way to track a visitor using cookie, on the other hand, session can track a user even though the cookie is turned off.

Session can store more data: You can store more information about a visitor in a session than in a cookie.


Starting a session variable

To start a PHP session, use session_start() function. See the following example-


When php interpreter finds session_start() function, it performs two things –

  1. First, it checks the browser’s request to find any existing session id. If it does, using the session id the interpreter finds the corresponding session file in the server and resumes the previously opened session. It retrieves information from the file and assigns to the $_SESSION superglobal associative array.
  2. If there is no existing session id in the request, php interpreter starts a new session – creates a session id and assign a session file named with that same session id in the web server, then, at last sends that session id to the browser.

When a session is created using session_start(), the server sends back the session id as cookie to the browser. So, it must be the first line before attempting to send any data to the browser. Even there can’t be any blank space before this function. In the above example, session_start() function is written before HTML element starts.

Setting/Registering session variables

In the previous section, when we started a session using session_start() function. It creates a session file in the server, but, at this stage, these are no data inside the session file about the visitor. So, let’s store some information about the visitor in that file.

Information about a visitor is stored in the session file as variables. A session variable is set or register using superglobal variable $_SESSION which is an associative array. As the rule of associative array, the key of the array name is the name of the variable and the value is what you want to assign inside that variable.

The following example shows how to store visitor name in the session file-

$_SESSION[“Name”] = “Neil”;

So, in the session file you’ll find a variable named “Name” and its value as “Neil”.


Accessing session variables

Before accessing session variables, first you’ve to start session. Then, mention the key of the $_SESSION associative array to retrieve its associative value. In the following you’ll see how to retrieve “Name” variable that we stored in the previous section-

$visitor_name = $_SESSION[“Name”] ;
echo “Visitor’s name is $visitor_name.”;

Visitor’s name is Neil.

As a nature of superglobal variable, you can access $_SESSION variables anywhere in the script after declaring.


Deleting session variables

You have to start session before deleting session variables. You can delete a session variable individually or all at once.

(1). To delete an individual session variable from the session file, mention the variable name as parameter in the use unset() function. See the following example-

unset($_SESSION[“Name”] );
echo “Session variable doesn’t exist.”;

Session variable doesn’t exist.

(2). To unset all the session variables at once, just reset the $_SESSION variable like following-

$_SESSION = array();


Deleting all session data

Unset will only remove the session data from the session file. To delete all the session data, you’ve to remove 2 things-

(1). To remove all the data from the server including the session id and the session file, use session_destroy() function. As usual, before using this function, you must start session. See the following example how to remove all session data from the server-


(2). Then, remove the session id cookie that is existed in the client’s system. If you don’t do it, next time visitor try to access this page, the browser will send the session id to the server and the web server will create a session with the same id. The following example shows how to remove session id from the client’s system using setcookie() function-

setcookie(session_name(), ‘’, strtotime(-1 day));

The setcookie() function above will send a cookie with the name same as the session name. The negative expire date in the second parameter ensure to expire the cookie from the visitor’s system.

So, there are three steps involve to delete a session completely-

  1. Delete all session variables from the session file
  2. Delete session file and session id.
  3. Delete session id from the visitor’s browser.