We've had a few requests for tutorials on what "sessions" are and how they work. So in this tutorial I'll show what they are, how they work and how you can make good use of them.

This tutorial underlines sessions in general, but we have used PHP for the code, this is why this tutorial is in the PHP category.

What are sessions?

To understand what sessions are and what they're good for, it helps if you've had some experence with a CGI scripting language and have used cookies from time to time. So why do we use cookies? Consider below.

What do we do if we wish to carry that variable to another script? Then another script after that? We have to propagate it, right?

Then re-assign it to $name:

Doing this over and over is tiresome and annoying. So we set a cookie:

Then we can re-assign the cookie to the variable $name without having to pass it along through the scripts manually. It's available to us in all our scripts, it makes things alot easier. We now have this variable containing the value we choose ready for us to use. Yet, there's still a snag: what if a user chooses not to accept cookies? This is where sessions come in.

The "Session ID"

When a session is started each user is assigned a unique "session id". Now how this session ID is stored depends on whether or not the user accepts cookies or not.

• If the user accepts cookies, the session ID is stored in a cookie, whose name is pre-determined.

• If the user doesn't accept cookies, the session ID is propagated through each script via the query string or form inputs.

But, we still have the problem of the no-cookie thing you ask? Well yes, but... imagine we want to set 20 variables, progagating all of those from script to script would be really annoying, with sessions we merely pass the one "session id" value. As long as the user has their session id we can set variables that will then be associated with their session id and available to us.

How it works

When the user's session starts, they're assigned a "session id", this we know so far. When their session is started a file is created on the server-side, this file contains all the user's session variables and is associated with them by their session id. Session variables are not stored in cookies, they are not propagated through the query string and form inputs, they are stored in a file on the server-side. The whole reason we assign them a session id is so we know which file belongs to who.

This file now "belongs" to John. If we assign session variables to him, as long as he has his session id, we can associate him with that file, extract the variabels from it and there we have it: variables that can be preserved across multiple requests.

Sounds too complex, though

That's the good thing about using sessions with PHP, all this is done is for you. All the sessions stuff is handled by PHP and the web server in the background making them extremely easy to implement. Even if users have cookies off you can set PHP up to automatically propagate the session id through your scripts for you. It automatically sticks the session ID in your links and in hidden form inputs, preserving the user's session id this allowing their file -- containing their variables -- to be associated with them.

Practical Use

If my inane yapping has gotten the basics across to you we can now look at a practical example.

It's as simple as that. We must first start the session using the function session_start(), once we do that the user is assigned their session id which will then be available to scripts via a cookie or through the query string and form inputs. We're then free to assign them values, so if a user then goes to another script we just retrieve it.

To create a session variable just stick it in the $_SESSION array, to retrieve it just drag it from the $_SESSION array. session_start() starts a session for the user.

Remember: You must always use "session_start()" in your script if you want to use the $_SESSION array. session_start() does not only start a user's session, but it continues a current session. session_start() is used to get the user's session ID and associate it with their file, thus loading the variables frm the file into $_SESSION, if you do not use session_start() the $_SESSION values will not be available. This also aplies to destroying the session, you must start/resume it before you can destroy it.

We can use the unset() function to get rid of session variables, and the session_destroy() function to get rid of the session id altogether, effectively killing the user's session and any variables associated with their session id.

Why when you login to a site, do you stay logged in? You have a session, until this session is destroyed the username and password you submitted are session variables which are then used in each script to authenticate your login. When you hit "logout", your session is killed and you must login again.

With the login system on axion-network I decided not to allow users who don't accept cookies to login. I did this for various reasons. Most of axion-network is HTML compliant and the automatic progagation of the session ID for users with cookies disabled can cause HTML errors. Also the session id existing in the query string poses security risks and can lead to sessions being "stolen". Be advised this is not a limitation of sessions, sessions work with cookies off, it's just me being paranoid.

Remember

• Session variables are not cookies, the session id is (normally).

• We can use sessions to associate a user with a file on the server side which contains their variables.

• We can destroy the users' sessions and kill all associated variables.

References

• PHP.net session reference

• Another, "what are sessions?"

• What are they good for?