Deborah Emeni's Blog

A simple explanation of Sessions in PHP

Deborah Emeni's photo
Deborah Emeni
ยท

4 min read

What is a Session?

Session is a way to establish a state for a user or for a request. When a request is made in the address bar to the web server to serve certain pages, the web server has no idea who you are and has no idea if you are logged in or if you have the permissions to check that page. It is going to look for what you requested and present it back to the browser. It gives us a way to identify the user. If the user has the permission, you can write a logic that says the user can access the page or can not access the page. You can also maintain the user's session length and time. If there is no activity done by the user for a certain time, you can log the user out automatically and request the user to login again.

How do Sessions work?

The first thing to do is to start a session

session_start();

When you run this PHP built-in function, it checks if a session has already started and if not, it will start a session. Every time a session is started, a file, a 32 Bit Hexadecimal string is created on the server. This file contains all the session variables and their keys and values. Sessions are stored in a super global variable, which is an array that can store a value which can be saved in a variable. For example;

$value = 'val';

$_SESSION[] = $value;

You must give the Session global variable a key that can be used to access the value.

$_SESSION['key'] = $value;

Now a session is created, a super global with a key that stores a value. To access the value, you can use a variable. For example;

$name = $_SESSION['key'];

Every time a request is made, the request headers will contain the 32 Bit Hexadecimal string created when a session starts and will be passed to Apache, which in turn will pass to the PHP script and the php will prefix search underscore in front of it and then look for a file in the server directory. If the file exists, it will validate by matching both strings and then it will look for the contents of the file to check if there is any key value pairs. If the key you specified matches, it will present that value.

When to use Sessions?

Every time you want to share data across different pages on your site, you would want to restrict users from accessing certain parts of your website unless the user is logged in. In this case, you can use sessions.

How to end a Session?

To end a session, which is usually called at the end of a script or when a user logs out in a logout script, use this and the file will no longer exist in the server

session_destroy();

If you want to unset and not destroy the file, then you can use

unset($_SESSION['name']);

How to secure the Session from hijacking?

To secure the session, run this

session_regenerate_id(true);

This will create a file and regenerate the ID and override it. This means that the old IDs will no longer be valid.

You can also set the time for each session to automatically refresh the ID. For example; The first time a session is started, it is going to set up the time in the session variable

if (!isset($_SESSION['started'])) {

    $_SESSION['started'] = time();

}

else if(time() - $_SESSION['started'] > 900) {

    session_regenerate_id[true];

    $_SESSION['started'] = time();

}

If the time is greater than 15 minutes(900 seconds), it will regenerate the session ID and keep the file same and override the ID. Then it will reset the value of the session to current time. So the clock will start again and if the session is longer that 15 minutes, it will automatically refresh the ID.

PHPSessionWeb Developmentbackend