Sessions in PHP

Table of Contents

• Introduction to Sessions
• Starting a Session
• Storing Data in Sessions
• Retrieving Data from Sessions
• Modifying and Unsetting Session Variables
• Destroying a Session
• Session Security Best Practices
• Example: Creating a Login System with Sessions
• Troubleshooting Common Session Issues
• Summary

Introduction to Sessions

In web development, sessions are used to store user-specific data across multiple pages. Unlike cookies, which are stored on the client’s browser, session data is stored on the server and can be used to maintain state between page requests. This is particularly useful for applications that require user authentication, shopping carts, or any scenario where you need to track a user’s actions across different pages.

PHP provides a simple and efficient way to manage sessions through its $_SESSION superglobal. The $_SESSION array allows you to store session data that persists across multiple requests.

Starting a Session

Before you can use session variables in PHP, you need to start a session. This is done using the session_start() function. It should be called at the very beginning of your script, before any output is sent to the browser.

Here’s how to start a session:

<?php
session_start();
?>

• The session_start() function starts a new session or resumes an existing one. If the user has already started a session (for example, after logging in), PHP will continue using the same session for subsequent requests.

Storing Data in Sessions

Once a session is started, you can store user-specific data in the $_SESSION array. This data can be of any type (string, integer, array, etc.) and will persist across page loads until the session is destroyed.

For example, to store the username of a logged-in user:

<?php
session_start();
$_SESSION['username'] = 'JohnDoe';
?>

• $_SESSION['username']: This stores the username in the session data. The session variable will be available on subsequent page requests as long as the session is active.

You can store multiple session variables:

$_SESSION['user_id'] = 123;
$_SESSION['email'] = '[email protected]';

Retrieving Data from Sessions

To retrieve session data, simply access the $_SESSION superglobal using the key you assigned earlier.

For example, to display the username stored in the session:

<?php
session_start();
echo "Hello, " . $_SESSION['username'];
?>

If the $_SESSION['username'] variable is set, the code will display the username. If it’s not set, PHP will return a warning or notice. You can check whether a session variable is set using the isset() function:

if (isset($_SESSION['username'])) {
    echo "Hello, " . $_SESSION['username'];
} else {
    echo "No user is logged in.";
}

Modifying and Unsetting Session Variables

Session variables can be modified by simply reassigning new values to them:

$_SESSION['username'] = 'JaneDoe';  // Modify the session variable

If you no longer need a session variable, you can unset it using the unset() function:

unset($_SESSION['username']);  // Remove the session variable

After calling unset(), the session variable will no longer be available for the current session.

Destroying a Session

To completely destroy a session and remove all session data, you can use the session_destroy() function. However, calling this function does not automatically remove the session variables from the $_SESSION superglobal. To fully clear the session, you should also unset the session variables.

Here’s how to destroy a session:

<?php
session_start();  // Start the session
session_unset();  // Unset all session variables
session_destroy();  // Destroy the session
?>

• session_unset(): This function clears all session variables.
• session_destroy(): This function destroys the session and removes it from the server.

After calling these functions, the user will be logged out, and the session will be terminated.

Session Security Best Practices

Sessions are vulnerable to attacks such as session hijacking, session fixation, and cross-site scripting (XSS). To protect your sessions, here are some best practices:

1. Use HTTPS: Always use HTTPS for your website to ensure that session data is transmitted securely. Without HTTPS, session data can be intercepted via man-in-the-middle attacks.
2. Regenerate Session IDs: To prevent session fixation attacks (where an attacker tries to steal or fix a user’s session ID), you should regenerate the session ID periodically using session_regenerate_id().

session_start();
session_regenerate_id(true);  // Regenerate the session ID

3. Set Secure and HttpOnly Cookies: By default, PHP stores the session ID in a cookie. You can make this cookie more secure by setting the Secure and HttpOnly flags.

session_set_cookie_params([
    'secure' => true,  // Cookie will only be sent over HTTPS
    'httponly' => true,  // Cookie cannot be accessed by JavaScript
]);
session_start();

4. Limit Session Duration: Set a session timeout to limit how long a session can remain active. You can implement this by checking the session start time and comparing it to the current time.

session_start();
$timeout_duration = 3600;  // 1 hour timeout

if (isset($_SESSION['last_activity']) && (time() - $_SESSION['last_activity']) > $timeout_duration) {
    session_unset();  // Clear session variables
    session_destroy();  // Destroy the session
}

$_SESSION['last_activity'] = time();  // Update the last activity time

5. Destroy Session on Logout: Always destroy the session when the user logs out to prevent session hijacking.

session_start();
session_unset();  // Unset session variables
session_destroy();  // Destroy the session
header("Location: login.php");  // Redirect user to the login page
exit();

Example: Creating a Login System with Sessions

Sessions are commonly used in login systems to track whether a user is logged in or not. Here’s a simple example:

login.php – Display Login Form

<form action="login_process.php" method="POST">
    <label for="username">Username:</label>
    <input type="text" name="username" required>
    <label for="password">Password:</label>
    <input type="password" name="password" required>
    <input type="submit" value="Login">
</form>

login_process.php – Process Login and Start Session

<?php
session_start();  // Start the session

// Hardcoded credentials (replace with database check in real-world applications)
$valid_username = 'john';
$valid_password = 'password123';

if ($_POST['username'] == $valid_username && $_POST['password'] == $valid_password) {
    $_SESSION['username'] = $_POST['username'];
    $_SESSION['logged_in'] = true;
    header("Location: welcome.php");
    exit();
} else {
    echo "Invalid credentials.";
}

welcome.php – Display Welcome Message

<?php
session_start();
if (isset($_SESSION['logged_in']) && $_SESSION['logged_in'] == true) {
    echo "Welcome, " . $_SESSION['username'];
} else {
    echo "You must log in first.";
}
?>

logout.php – Destroy Session on Logout

<?php
session_start();
session_unset();
session_destroy();
header("Location: login.php");
exit();

Troubleshooting Common Session Issues

1. Session Not Starting: If session_start() isn’t working, ensure that no output (including whitespace) is sent before it. Outputting anything before session_start() will cause an error.
2. Session Variables Not Being Saved: Check if your session is configured correctly and that cookies are being sent. You can use phpinfo() to check session settings.
3. Session Timeout Issues: If sessions are timing out too quickly or not at all, verify your session.gc_maxlifetime and session.cookie_lifetime settings in your php.ini file.

Summary

In this module, we explored how to use sessions in PHP to store user-specific data across page requests. We discussed starting a session, storing and retrieving data, modifying session variables, and destroying sessions. We also highlighted security best practices such as regenerating session IDs, using HTTPS, and setting secure cookies. Finally, we created a simple login system using sessions and examined troubleshooting tips.