Using session variables in PHP

HTTP was designed to be as open as possible and one of the drawbacks of this is that the protocol is stateless i.e. there is no persistence of variables across web requests. When a request is sent to a web server for a resource, the server doesn’t know or care if the request comes from someone already on the server or from someone logging in from outside. Therefore if a web site needs to maintain state, and allow data to be shared across pages, HTML pages just won’t do it. PHP does allow variables to be passed from page to page with a query string such as this:

echo (‘<a href="next_page.php?name=Dave&job=programmer”>next page</a>');

But there’s a drawback. The query string will be displayed in the address box of the user’s browser and this isn’t secure if sensitive information is being passed. It’s also inconvenient to have to create query strings with lots of variables for URLs that lead to other pages on the site.

A more elegant and secure solution is available with PHP session variables. Sessions are like server-side cookie files that store variables that can be read from, or written to, by PHP scripts. Each session file is unique to the user request that created it and can only be accessed by subsequent requests from the same user. Let’s take an example of an HTML form that picks up a user’s name and occupation and uses a session file to pass the data to other pages.

The page has an HTML form that invites a user to key in his or her name and occupation. These details will be passed as name-value pairs, called $name and $job to a PHP page that will store them as session variables. The first piece of code on the page, and all other pages that need to access the variables, will be:

<? php session_start(); ?>

This piece of code does one of two things. If the user does not already have a session, it creates a new session – or – if the user does already have a session it connects to the existing session file. When a new session is created, PHP session management generates a session identifier that consists of a random 32 hex digit string and creates an empty session file on the server with the name sess_ followed by the session identifier. It also includes a set-cookie in the response and a session cookie in the browser with the value of the session identifier. This means that any subsequent request to the server will include this session identifier allowing PHP to connect to the appropriate session file.

So to go back to the HTML form page, when the page first downloaded to the user’s browser, an empty session file was created on the server and the user’s browser now has a session identifier. The user fills in the form and clicks the send button. The form variables are sent to the PHP page that will store the variables, and the code will take this form:

<? php
session_start(); // This connects to the existing session
session_register (“name”); // Create a session variable called name
session_register (“job”); // Create a session variable called job
$HTTP_SESSION_VARS [“name”] = $name; // Set name = form variable $name
$HTTP_SESSION_VARS [“job”] = $job; // Set job = form variable $job

The code above first connects to the existing session (using the session identifier from the user’s browser that is included with the request). It then creates two session variables and sets the values to those from the HTML form. When you add a PHP variable to a session file using session_register (), only the name of the variable is written, not its value therefore
$HTTP_SESSION_VARS [“name”]=$name has been used here to do this.

A couple of points to note are that when referring to PHP variables within a session file, the $ sign is not used. However if the variables are used within the rest of the script, the $ sign is used as normal. Once a session variable has been registered it can then be used like any other PHP variable. If we update a session variable within a script there’s no need to specifically update the session file, session management will automatically do this before the script ends. Therefore if at some point we did this:

$name = “myname”;

The new value will be written to the session file automatically. In the example script we wrote the value of $name directly to the session file using $HTTP_SESSION_VARS[] because $name already existed (from the HTML form). However, if we want to create a new session variable then all it needs is:

session_register (“new_variable”);
$new_variable = “whatever”;

This new variable will be available to any PHP page that connects to the session using session_start(). Now that we’ve stored the values of the form variables, any PHP page that connects to the session can read them.

If we want to destroy a variable then we can use:

session_unregister (“new_variable”);

If we want to delete the session file then we can use:

session_destroy ();

Of course we could have achieved a similar result in this example by using JavaScript cookies, however, PHP sessions have some advantages. Firstly, the session files are on the server, not on the user’s hard drive, so are less easily tampered with. Also, JavaScript cookies require scripting to encode and decode the cookie string – whereas all that’s required with PHP sessions is session_start(), and the variables are available.

Lastly, PHP sessions will work even if the user has cookies disabled.

Leave a comment