Session Control  
documentation PHP  Base Library
 
session control used to track a user during a single session on a web site.

useful for

  • user authentication
  • shopping carts

 
session ID A unique random number generated by PHP and maintained on the client's machine as a cookie or passed through the URL for the lifetime of the session.

The session id (a key) is used to keep track of session variables.

A file (either a flat file or db file) are stored on the server which record the session variables.
Implementing a
Session
  • Start a session
  • Register session variables
  • Use session variables
  • Deregister session variables
  • Destroy the session
Start a
session		 Three ways to start a session

1. session_start( );

  • checks if there is a session and creates one if none exists.
  • it is good idea to put this is all scripts using the session control

2. session_register("variable_name");

  • used to register session variables and this will begin a session also

3. session.auto_start option

  • automatically starts a session when someone comes to your site.  Must be configured in the php.ini file.
register
session variables		 session variables are stored in a global array $_SESSION (php 4.1) and in $HTTP_SESSION_VARS.

to set a variable, just set the array value:

$_SESSION["variableName"] = 8;

$HTTP_SESSION_VARS["variableName"] = 8;

or

$variableName = 8;

session_register("variableName");
use
session variables		 To bring the session variables into scope you must start a session:

session_start( );

access the variables via the array:

$_SESSION["variableName"]

$HTTP_SESSION_VARS["variableName"]
 

Check to see if session variable are registered:

$result = session_is_registered("variableName");
                                                  //returns true or false

better to do it as follows:

   if (isset($HTTP_SESSION_VARS["variableName"])) ...
deregister
session variables		 deregisters all session variables

session_unset( );

 

each individual:

unset($HTTP_SESSION_VARS["variableName"]);
destroy the
session id		 After all variables have been deregistered, clean up the session ID:

session_destroy( );

 
simple example: three web pages written in php:

page1:

  • start the session
  • register the session variable

page2:

  • access the session variable
  • deregister the session variable

page3:

  • destroy the session

 
  page1.php :
 

<?php
  session_start();

  $HTTP_SESSION_VARS['sess_var'] = "Hello world!";

  print("page 1: <br \> \n");
  print("The content of \$HTTP_SESSION_VARS[sess_var] is ");
  print($HTTP_SESSION_VARS['sess_var']);
  print("<br />");
?>
<a href="page2.php">Next page</a>


  page2.php :
 

<?php
  session_start();

  print("page 2: <br \> \n");
  print("The content of \$HTTP_SESSION_VARS[sess_var] is ");
  print($HTTP_SESSION_VARS[sess_var]);
  print(" <br />");

  unset($HTTP_SESSION_VARS['sess_var']);
?>
<a href="page3.php">Next page</a>
  page3.php :
 

<?php

  session_start();

  print("page 3: <br \> \n");
  print("The content of \$HTTP_SESSION_VARS[sess_var] is ");
  print($HTTP_SESSION_VARS['sess_var']);
  print(" <br />");

  session_destroy();
?>


 
User Authentication using
session variables:		 three web pages written in php:

authmain:

  • start the session
  • check if user is signed on
  • if not then show form with sign-on
  • other wise look up username in db table and check pw
  • if the username and password match - set session variable

members_only:

  • check session variable
  • if set then show member stuff
  • if not show error message

logout:

  • unset session variable
  • destroy session
  • print appropriate message

 
  authmain.php

  <click here for php code>
 
  members_only.php
 
<?php
  session_start();

  print("<h1>Members only</h1>");

  // check session variable

  if (isset($HTTP_SESSION_VARS['valid_user']))
  {
    print("<p>You are logged in as ");
    print("$HTTP_SESSION_VARS[valid_user]</p>\n");;
    print("<p>Members only content goes here</p>\n");
  }
  else
  {
    print("<p>You are not logged in.</p>");;
    print("<p>Only logged in members may see this page.</p>");
  }

  print("<a href=\"session_ex2_authmain.php\">Back to main page</a>");
?>

 
  logout.php
 
<?php
  session_start();

  $old_user = $HTTP_SESSION_VARS['valid_user'];  
           // store  to test if they *were* logged in
  unset($HTTP_SESSION_VARS['valid_user']);
  session_destroy();
?>
<html>
<body>
<h1>Log out</h1>
<?php 
  if (!empty($old_user))
  {
    print("Logged out.<br /> \n");
  }
  else
  {
    // if they weren't logged in but came to this page somehow
    print("You were not logged in, and so have not been logged out.<br />\n"); 
  }
?> 
<a href="session_ex2_authmain.php">Back to main page</a>
</body>
</html>