$_SESSION is a special array used to store information across the page requests a user makes during his visit to your website or web application. The most fundamental way to explain what a session is to imagine the following scenario:

You are working with an application. You open it, make some changes, and then you close it.

That is a session in it’s simplest form.

The example scenario is reminiscent of the process that happens when using a login system. The process can be extremely complicated or incredibly simple, as long as there is a value that persists between requests. Information stored in the session can be called upon at any time during the open session.

While there may be many users accessing the site at the same time, each with his own session, it’s thanks to unique IDs assigned and managed by PHP for each session that allows each user’s session to be available only to himself. Session information is stored on the server rather than the user’s computer (as cookie data is stored), which makes sessions more secure than traditional cookies for passing information between page requests.

In this article, we’ll give you the low down on using sessions in PHP – how to create them, how to destroy them, and how to make sure they remain secure.

Using Sessions

Before you can to store information in a session, you have to start PHP’s session handling. This is done at the beginning of your PHP code and must be done before any text, HTML, or JavaScript is sent to the browser. To start the session, you call the session_start() function in your first file:

// start them engines!
session_start();
// store session data
$_SESSION["username"] = "John Doe";

session_start() starts the session between the user and the server and allows values stored in $_SESSION to be accessible in other scripts later on.

In your second file, you call session_start() again which this time continues the session, and you can then retrieve values from $_SESSION.

// continue the session
session_start();
// retrieve session data
echo "Username = " . $_SESSION["username"];

This example is a very basic demonstration of storing and retrieving data in a session. In the first script, the value “John Doe” was associated with the key “username” in the $_SESSION array. In the second script, the information was requested back from the $_SESSION array using the key. $_SESSION allows you to store and retrieve information across the page requests of a user’s active browsing session.

Ending a Session

As important as it is to begin a session, so it is to end one. Even though a session is only a temporary way to store data, it is very important to clean up after yourself to ensure maximum security when dealing with potentially sensitive information. It is also good practice and will avoid having a huge amount of stale session data sitting on the server.

To delete a single session value, you use the unset() function:

session_start();
// delete the username value
unset($_SESSION["username"]);

To unset all of the session’s values, you can use the session_unset() function:

session_start();
// delete all session values
session_unset();

Both examples only affect data stored in the session, not the session itself. You can still store other values to $_SESSION after calling them if you so choose. If you wish to completely stop using the session, for example, a user logs out, you use the session_destroy() function.

session_start();
// terminate the session
session_destroy();

We highly recommended that when you are sure you no longer need the session that you destroy it using session_destroy(), rather than just unsetting all of its values with session_unset(). If you just unset all the value, the session itself is still active and malicious code could give those sessions harmful values.

That is sessions, in a nutshell, the very basic but very powerful functionality within PHP that provides an elegant solution to the problem of passing data between web pages.

Session Security Tips

Despite its simplicity, there are still many ways using sessions can go wrong. Here is a quick overview of some security techniques you can use to ensure you are using sessions safely.

Session Time-Out

Timing-out sessions is a very important action if you are dealing with users logged in to your website or application. If a user logs in to your site in an Internet café and then leaves the computer and café without logging out, how do you stop the next user on that computer from still having access to the previous user’s session? Well, you can use the following code:

session_start();
// set time-out period (in seconds)
$inactive = 600;

// check to see if $_SESSION["timeout"] is set
if (isset($_SESSION["timeout"])) {
    // calculate the session's "time to live"
    $sessionTTL = time() - $_SESSION["timeout"];
    if ($sessionTTL > $inactive) {
        session_destroy();
        header("Location: /logout.php");
    }
}

$_SESSION["timeout"] = time();

The code ensures that if there is no activity for more than 600 seconds (10 minutes) the request is redirected to the logout page which would successfully log out the user.

Regenerate the Session ID

The session_regenerate_id() function creates a new unique-ID for to represent the current user’s session. This should be regenerated time any important authentication action is performed, such as logging in or updating user profile data. Giving the sessions a new ID after such actions make your application more secure by reducing the risk of a specific attack known as “Session Hijacking.”

session_start();

if ($_POST["username"] == "admin" && $_POST["password"] == sha1("password")) {
    $_SESSION["authorized"] = true;
    session_regenerate_id();
}

Destroy Sessions

As I previously mentioned, you should use session_destory() once you don’t need to use the session anymore. This stops attackers from hijack the stale session, again increasing the session-related security of your website.

Use Permanent Storage

Use a database to store data at the earliest moment you know the data will be persistent; don’t let it stay as part of the session for too long as this opens it up to possible attack. Really think about whether the data belongs should be stored in $_SESSION because session data is meant to be transient.

If you have any issue, let us know in the comment box.
Happy Coding.