Session Management

Back

Loading concept...

🎪 PHP Session Management: Your Website’s Memory Box

The Story: Meet the Forgetful Shopkeeper

Imagine a shopkeeper named Sam who runs a candy store. Every time you walk out the door and come back in, Sam completely forgets who you are!

“Who are you? Did you already pick candies? I have no idea!”

That’s exactly how websites work without sessions. Every time you click a link, the website “forgets” you!

Sessions are like giving Sam a notebook. Now when you walk in, Sam writes down:

  • Your name
  • What candies you picked
  • Your favorite flavor

When you come back, Sam checks the notebook and says, “Ah! Welcome back! I see you love chocolate!”

🚀 Session Starting: Opening the Notebook

What Is It?

Before Sam can write anything, he needs to open his notebook. In PHP, we use session_start() to open our memory notebook.

Simple Example

<?php
session_start();
echo "Notebook is open!";
?>

The Magic Rule 🪄

Call session_start() FIRST — before any words appear on the page!

Think of it like this: You must open the notebook before the store opens. If customers are already inside, it’s too late!

graph TD
    A["User visits page"] --> B{session_start called?}
    B -->|Yes| C["Memory notebook opens"]
    B -->|No| D["User is a stranger every time!"]
    C --> E["Website remembers user"]

Real Life Example

<?php
session_start();

// Now we can remember things!
echo "Session ID: " . session_id();
?>

The session_id() is like a secret ticket number that connects your notebook page to this specific visitor.

📦 Session Variables: What Goes in the Notebook

What Is It?

Once the notebook is open, you can write things inside! Session variables are stored in a special box called $_SESSION.

Simple Example

<?php
session_start();

// Writing in the notebook
$_SESSION['username'] = 'Tommy';
$_SESSION['favorite_candy'] = 'Gummy Bears';

// Reading from the notebook
echo "Hi, " . $_SESSION['username'] . "!";
echo "You love " . $_SESSION['favorite_candy'];
?>

Output:

Hi, Tommy!
You love Gummy Bears

Think of It Like a Labeled Box

Label What’s Inside
username Tommy
favorite_candy Gummy Bears
cart_items 3

Checking Before Reading

What if the notebook page is blank? Always check first!

<?php
session_start();

if (isset($_SESSION['username'])) {
    echo "Welcome back, " . $_SESSION['username'];
} else {
    echo "Hello, new friend!";
}
?>

isset() is like asking: “Did we write anything here yet?”

🗑️ Session Destruction: Closing & Burning the Notebook

What Is It?

Sometimes you need to forget everything. Like when a user logs out — you want to erase all their info from the notebook.

Three Ways to Forget

1. Erase One Thing

<?php
session_start();
unset($_SESSION['username']);
// Just the username is erased
?>

2. Erase Everything on the Page

<?php
session_start();
$_SESSION = [];
// All session data is gone
?>

3. Burn the Whole Notebook (Complete Logout)

<?php
session_start();

// Clear all data
$_SESSION = [];

// Delete the cookie
if (ini_get("session.use_cookies")) {
    $p = session_get_cookie_params();
    setcookie(
        session_name(),
        '',
        time() - 42000,
        $p["path"]
    );
}

// Destroy the session
session_destroy();
?>

graph TD
    A["User clicks Logout"] --> B["Clear $_SESSION array"]
    B --> C["Delete session cookie"]
    C --> D["session_destroy"]
    D --> E["User is now a stranger again!"]

When to Use What?

Action Use Case
unset() Remove one item (like emptying cart)
$_SESSION = [] Fresh start, same session
session_destroy() Complete logout

⚙️ Session Configuration: Customizing Your Notebook

What Is It?

PHP lets you change HOW sessions work — like choosing what kind of notebook to use, how long to keep it, and where to store it.

Key Settings

1. Session Lifetime (How Long to Remember)

<?php
// Remember for 1 hour
ini_set('session.gc_maxlifetime', 3600);
session_start();
?>

2. Where Sessions Live

<?php
// Store in a custom folder
ini_set('session.save_path', '/my/folder');
session_start();
?>

3. Cookie Settings

<?php
// Set before session_start()
session_set_cookie_params([
    'lifetime' => 3600,      // 1 hour
    'path' => '/',           // Whole website
    'secure' => true,        // HTTPS only
    'httponly' => true,      // No JavaScript access
    'samesite' => 'Strict'   // Same site only
]);
session_start();
?>

Configuration Summary

Setting What It Does Example
gc_maxlifetime How long data is kept 3600 = 1 hour
save_path Where data is stored /tmp/sessions
cookie_lifetime How long cookie lasts 0 = until browser closes
cookie_secure HTTPS only true / false

🔐 Session Security: Protecting Your Notebook

Why Does It Matter?

Imagine if a bad kid could peek at Sam’s notebook or pretend to be you! Session security stops bad guys from stealing your information.

The Dangers

graph TD
    A["Session Dangers"] --> B["Session Hijacking"]
    A --> C["Session Fixation"]
    B --> D["Bad guy steals your ticket"]
    C --> E["Bad guy gives you their ticket"]

Protection Methods

1. Regenerate Session ID (Get a New Ticket)

<?php
session_start();

// After login, get a NEW ticket!
session_regenerate_id(true);
$_SESSION['user_id'] = 123;
?>

Why? If bad guy knew your old ticket, the new ticket makes theirs useless!

2. Secure Cookie Settings

<?php
session_set_cookie_params([
    'secure' => true,      // Only send over HTTPS
    'httponly' => true,    // JavaScript can't read it
    'samesite' => 'Strict' // Only your site can use it
]);
session_start();
?>

3. Check the User’s Identity

<?php
session_start();

// Store user's browser info
$_SESSION['fingerprint'] = md5(
    $_SERVER['HTTP_USER_AGENT'] .
    $_SERVER['REMOTE_ADDR']
);

// Later, verify it matches
$current = md5(
    $_SERVER['HTTP_USER_AGENT'] .
    $_SERVER['REMOTE_ADDR']
);

if ($_SESSION['fingerprint'] !== $current) {
    session_destroy();
    die("Something suspicious!");
}
?>

Security Checklist ✅

Protection How Why
Regenerate ID session_regenerate_id(true) Stops hijacking
HTTPS only secure => true Encrypts the ticket
No JS access httponly => true Blocks XSS attacks
Same site samesite => 'Strict' Blocks CSRF attacks
Check fingerprint Compare user agent + IP Detects imposters

🎯 The Complete Picture

Here’s how it all fits together for a secure login:

<?php
// 1. Configure FIRST
session_set_cookie_params([
    'secure' => true,
    'httponly' => true,
    'samesite' => 'Strict'
]);

// 2. Start session
session_start();

// 3. After successful login
session_regenerate_id(true);
$_SESSION['user_id'] = 123;
$_SESSION['username'] = 'Tommy';
$_SESSION['login_time'] = time();

// 4. Verify on every page
if (!isset($_SESSION['user_id'])) {
    header('Location: login.php');
    exit;
}

echo "Welcome, " . $_SESSION['username'];
?>

🌟 Remember This!

Concept The Simple Version
session_start() Open the notebook
$_SESSION The box where you write things
session_destroy() Burn the notebook
Configuration Customize your notebook
Security Lock your notebook from bad guys

Sessions are your website’s memory. Without them, every page is like meeting a stranger. With them, you can build shopping carts, login systems, and personalized experiences!

You’ve got this! 🚀

Loading story...

Story - Premium Content

Please sign in to view this story and start learning.

Upgrade to Premium to unlock full access to all stories.

Sign In to Access Get Premium Access Close

Stay Tuned!

Story is coming soon.

Story Preview

Story - Premium Content

Please sign in to view this concept and start learning.

Upgrade to Premium to unlock full access to all content.

Sign In to Access Get Premium Access Close