PHP Sessions

HTTP is Stateless

There is nothing in the HTTP protocol that will tie subsequent requests together. This is a common problem faced by web developers when working on sites that require a shopping-cart type of functionality.

Additionally, given Apache's multi-process architecture, subsequent requests from the same user may be handled by different processes.

In larger environments, there are also multiple web servers where requests may be round-robined across or perhaps a load balancer is distributing the requests across the server farm.

When a user first visits our site we have to give them an identifier and ask them nicely to give this something back to us when they visit again. Then we tie whatever data we want to have persist across requests to this identifier. This is known as the session ID.

PHP has a number of built-in functions that implement this idea of creating a unique session id for each visitor and associating data with them. There is nothing particularly magical about these functions and you can easily come up with your own system for dealing with sessions.

To start a session use session_start() and to register a variable in this session use the $_SESSION array.


  $_SESSION['my_var'] = 'Hello World';


If register_globals is enabled then your session variables will be available as normal variables on subsequent pages. Otherwise they will only be in the $_SESSION array.

  echo $_SESSION['my_var'];

PHP Session Configuration

session.save_handler = files    ; Flat file backend
session.save_path=/tmp          ; where to store flat files = PHPSESSID        ; Name of session (cookie name)
session.auto_start = 0          ; init session on req startup
session.use_cookies = 1         ; whether cookies should be used
session.use_only_cookies = 0    ; force only cookies to be used
session.cookie_lifetime = 0     ; 0 = session cookie
session.cookie_path = /         ; path for which cookie is valid
session.cookie_domain =         ; the cookie domain 
session.serialize_handler = php ; serialization handler (wddx|php)
session.gc_probability = 1      ; garbage collection prob.
session.gc_dividend    = 100    ; If 100, then above is in %
session.gc_maxlifetime = 1440   ; garbage collection max lifetime
session.referer_check =         ; filter out external URL\'s
session.entropy_length = 0      ; # of bytes from entropy source
session.entropy_file =          ; addtional entropy source
session.use_trans_sid = 1       ; use automatic url rewriting
url_rewriter.tags = "a=href,area=href,frame=src,input=src"
session.cache_limiter = nocache ; Set cache-control headers
session.cache_expire = 180      ; expiry for private/public caching

Cache-control is important when it comes to sessions. You have to be careful that end-user client caches aren't caching invalid pages and also that intermediary proxy-cache mechanisms don't sneak in and cache pages on you. When cache-limiter is set to the default, no-cache, PHP generates a set of response headers that look like this:

HTTP/1.1 200 OK
Date: Sat, 10 April 2016 10:21:59 GMT
Server: Apache/2.22 (Unix) PHP/5.6
X-Powered-By: PHP/5.6
Set-Cookie: PHPSESSID=9ce80c83b00a4aefb384ac4cd85c3daf; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html

Server Farming

By default PHP will store its session data in files on the local filesystem. This obviously won't work in a load-balanced architecture as we requests from the same session can span servers.

You can change the session backend datastore from a script using session_module_name().

  session_module_name("files");  // ASCII files

  session_module_name("mm");     // Shared memory

  session_module_name("user");   // Custom session backend

You can also define your own custom session backend datastore using the session_set_save_handler() function.


  session_set_save_handler("myOpen", "myClose", "myRead", "myWrite", "myDestroy", "myGC");


Destroy Session useful in case of logout scenario



$_SESSION['name'] = 'w3clan';

session_destroy();   // This will destroy all session.

unset($_SESSION['name']);   // This will unset session ['name']



Loading ...

Related Results :

  1. PHP Sessions
Note :
  • Related Posts are generally User Blog posts.
  • or Other tutorials from other networks of
  • Any registered user can create related posts based on search term tags.

About the Author