Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do PHP sessions work? (not "how are they used?")

Tags:

php

session

People also ask

How does session work in PHP?

PHP responds by sending a unique token that identifies the current session. This is known as the session ID. In all subsequent requests, the browser sends the session ID to say, "Hey, it's me again." All other data related to the session is stored on the web server. Only the session ID gets passed back and forth.

How does PHP session work without browser cookies?

You can also login without Cookies only by Session Id and Time, but you have to write them both in your Database direct after Successful Login. I have in index. php something like this that will always generate a new session id based on time and the old session id if conditions are not verified.

What can I use instead of session in PHP?

The alternative to sessions is cookies (in fact, sessions are usually implemented using cookies). But cookies should only be used if you want to store small amounts of data.

How does PHP keep track of sessions?

The session functions keep track of users by issuing them cookies with a randomly generated session IDs. If PHP detects that a user doesn't accept the session ID cookie, it automatically adds the session ID to URLs and forms.


In the general situation :

  • the session id is sent to the user when his session is created.
  • it is stored in a cookie (called, by default, PHPSESSID)
  • that cookie is sent by the browser to the server with each request
  • the server (PHP) uses that cookie, containing the session_id, to know which file corresponds to that user.

The data in the sessions files is the content of $_SESSION, serialized (ie, represented as a string -- with a function such as serialize) ; and is un-serialized when the file is loaded by PHP, to populate the $_SESSION array.


Sometimes, the session id is not stored in a cookie, but sent in URLs, too -- but that's quite rare, nowadays.


For more informations, you can take a look at the Session Handling section of the manual, that gives some useful informations.

For instance, there is a page about Passing the Session ID, which explains how the session id is passed from page to page, using a cookie, or in URLs -- and which configuration options affect this.


How Does PHP Session Works

  • Firstly PHP creates a 16-byte long unique identifier number (stored as a string of 32 hexadecimal characters, e.g a86b10aeb5cd56434f8691799b1d9360) for an individual session.

  • PHPSESSID cookie passes that unique identification number to users' browser to save that number.

  • A new file is created on the server with the same name of unique identification number with sess_ prefix (ie sess_a86b10aeb5cd56434f8691799b1d9360.)

  • The browser sends that cookie to the server with each request.

  • If PHP gets that unique identification number from PHPSESSID cookie (on each request), then PHP searches in the temporary directory and compares that number to the file name. If both are the same, then it retrieves the existing session, otherwise it creates a new session for that user.

A session gets destroyed when the user closes the browser or leaves the site. The server also terminates the session after the predetermined period of session time expires. These are the simple mechanism steps that PHP is using to handle the session. I hope this article with help you to understand how PHP SESSION is working.


The session ID is indeed random, and is passed in a cookie or in the URL, depending on configuration. You might already have seen this PHPSESSID=xxxx in some URLs, there is a cookie by that name too.


Sessions in PHP are started by using the session_start( ) function. Like the setcookie( ) function, the session_start( ) function must come before any HTML, including blank lines, on the page. It will look like this: <?php session_start( );?><html><head> ....... etc The session_start( ) function generates a random Session Id and stores it in a cookie on the user's computer (this is the only session information that is actually stored on the client side.) The default name for the cookie is PHPSESSID, although this can be changed in the PHP configuration files on the server (most hosting companies will leave it alone, however.) To reference the session Id in you PHP code, you would therefore reference the variable $PHPSESSID (it's a cookie name; remember that from Cookies?)