How session_start() function works?

Question

Please, explain how session_start() function works.

I don’t understand the sequence of actions when starting a session in php. Try to explain.

HTTP is a client – server architecture. It means that the browser sends its request, the sever processes the request and sends back its answer. Each of these actions has appropriate headers.

I checked (with headers_list()) what headers are sent back by the server with its answer when I want to start session. And among others there is header

Set-Cookie: PHPSESSID=7f4cbf53fbcd4717792447f32da7dba8

It seems that everything is ok, the server gives order to the browser to set the cookie.

But.To start session I have to include the session_start() function in the beginning of the code of the page. So this function is started when the browser begins parsing the page. The browser meets the php opening tag <?php followed by the session_start() function. Immediately it delegates control to the server. And the server only now starts the function. Only when it has already sent the page to the browser with all the headers.

So I don’t understand how server can send Set-Cookie header before the browser starts parsing the page and meets the session_start() function? How it knows that it has to put Set-Cookie header before the command session_start() is executed? Or I misunderstand the process?

Answer 1

I'll answer by using Apache as the server.

When a page is requested to the server, Apache routes it to the proper document.

If that particular document type is associated with a SAPI, control is relegated to that SAPI. In case of PHP scripts, this would usually be PHP's Apache module.

Your PHP is then executed by the SAPI. When you call session_start(), PHP does a few things:

• It checks if the client sent a cookie named after session_name(). That cookie contains the session ID. If it doesn't exist, it creates it with a new session ID.

• It loads the session data associated to that session ID from the session provider (the default provider stores session data in the temp folder of your server as a file containing serialized session data) and makes it available in the $_SESSION super global.

• It registers a shutdown callback to save the session data back through the provider.

Then your script continues its normal execution flow, the output being sent back to Apache to be sent to the client.

Sessions are completely handled by the SAPI. Other than relegating control to the SAPI, Apache does nothing.

Most PHP installations have output buffering on, which stores all output (headers and body) into a buffer till it is flushed to Apache (either explicitly through ob_flush() or implicitly at the end of your script).

If output buffering is on, you may call session_start() anywhere before the first flush since PHP will send headers before the body.

In the case of a new session (when the cookie is sent), it doesn't matter if the client receives the session ID only after page execution: it will have it for the next request. The session ID is the key for restoring your session data. If someone steals your session ID and you do not have server-sode checks, your session data will be compromised.

For more information, feel free to read another one of my answers.