Session Variables
A session variable is a special type of variable whose value is maintained across subsequent web pages. With session variables, user-specific data can be preserved from page to page delivering customized content as the user interacts with the web application. Session variables normally exist until one of the follow criteria is met: 1. the user closes the browser window; 2. the maximum time allotment set on the server for session lifetime is exceeded; 3. using PHP functions such as session_destroy() to free all session variables currently registered.
The problem that Session variables have to overcome is that the HTTP protocol used to browse the web is stateless. Each request for a page is completely independant of earlier requests, so if you want subsequent pages to "remember" the users name that he entered on your front page you have to store that information somewhere.
PHP supports a number of custom session handlers. This tutorial begins by introducing the $_SESSION[] global variable. $_SESSION[] is recommended for improved security and code readability. The Session functions session_start() and session_destroy() are also introduced. Each are defined below:
- $_SESSION[] - - PHP superglobal array variable that contains currently registered to a script's session.
- session_start() - - initializes session data. This function is called prior to creating a new session variable using $_SESSION[].
- session_destroy() - destroys all data registered to a script's current session
This tutorial also introduces the PHP "Location" header() function. Although this is an HTTP function and not a session function, it is commonly used to redirect user's during existing sessions. The function is defined below:
- header("Location: http://www.domain.com") - header function used redirect the browser page to the Location parameter provided.
The follow code block demonstrates how the session variable is intitalized.
<?php
session_start();
if ($_SESSION['count'] == "")
{
$_SESSION['count'] = 1;
}
else
{
$_SESSION['count'] = $_SESSION['count'] + 1
}
?>
In this example, session_start() is first called to intialize session data. Session_start() must be called before creating and assigning values to session variables. Next, an if statement is used to check the value of the session variable "count". If the session is null or contains no value, it is intialized to 1. Otherwise the value of the session varible is incremented by 1. In this case, the session variable count is used to count the number of visitors. Session variables provide an ideal way of creating page counters since each user represents a unique session.
A session variable may also be created after a user successfully enters the credentials needed to access a restricted site. In this case the session variable contains a value that is passed from page to page indicating that the user has permission to access any resources associated with the site. When the user exits or chooses to "log out", the session variable should be reset. This is accomplished by using session_destroy().
login.php
<?php
if ($_POST['submit'] == "Login")
{
//script to check user name and password would be coded here
//if authentication is successfull
session_start();
$_SESSION['access'] = "yes";
header(Locationaccess.php);
{
if ($_POST['submit'] == "Log Out")
{
//if the user decides to exit
session_destroy();
}
?>
access.php
<?php
// if the user accesses this page, make sure they have been authenticated through login.php
if ($_SESSION['access'] != "yes")
{
header(Location:login.php);
}
?>
The example above consists of two pages, login.php and access.php. Before a user can view the contents of access.php, they must pass login.php. A session is created to ensure that the user is authenticated. After the user enters a valid username and password, the "Login" button is clicked. The PHP script ensures that the password and user name are correct. Next, a session variable - access is created and assigned a value of "yes". The user is then redirected to access.php. A script on access.php checks to ensure the session exists. If the session does not exist, the header() function is used to redirect the user back to login.php and prevents viewing of access.php contents.
Login.php contains a second script that is used to destroy the session variable by calling session_destroy(). The script is executed after the user clicks the "Log Out" button.
Web applications that use session data may be accessed my multiple users simultaneously. For each user to have their own session, a unique id value must be associated with the session. In PHP, this unique session id value can be retrieved using the session_id() function. A unique session_id() value is maintained for each user and is stored in the PHP/sessiondata sub directory located on the Web server.
Since the session_id() value is unique for all users, it can be used to identify users without the need to create individual user names and passwords. The session_id() function is defined below:
session_id() - used to get the id value for the current session.