Learn how to use sessions in PHP with our comprehensive guide. Discover how to create, read, update, and delete session variables, and how to secure your PHP session data from malicious attacks. Start optimizing your PHP applications today!
While developing or maintaining web applications, usually there’s a need of data persistence throughout the logic. Persistence means that if somewhere we get some kind of data, we want to store it for later. The most obvious and secure way to do this is to use a database. Databases provide the level of safety that the session will never be able to provide you and there’s a reason for that. Sessions are not secure nor can exist in the confines of a server for a large period of time.
Sessions should not be used for storing extremely sensitive information such as passwords, bank information or personal user’s details. There’re used to control the flow of the web application and instruct the user what to do in terms of authorization and page access. Session are mainly developed as access guards to pages. Meaning that if you’re logged in before, as a user you may not want to log in again to access your dashboard. Web apps should be smart enough to recognize the user and navigate him/her accordingly.
A session is essentially an block of memory that we can hold information in whatever format we deem fit and can be accessed throughout the web application for a limited period of time. Often used as a page guard to protect pages from public access.
But how can we do that? Well, it’s quite simple. First of all you need to understand there are certain super globals in PHP. Super globals are those variables that have the ($_) prefix and usually are composed of capital letters. Some of them are $_SESSION, $_GET, $_POST, $_SERVER. As you can see, there are multiple super globals all made for a specific purpose. $_GET will hold the query parameters of a request, $_SERVER contains the server’s information and $_SESSION will hold whatever we instruct it to hold. Let’s first create a session. Suppose that the user entered the details onto the login page and the data was accepted and passed all the necessary validations.
$user = array( 'email' => 'artisan@php-artisan.com', 'password' => '$@x29832e' ); if (isset($user)) { session_start(); $_SESSION['user'] = $user; header('location: dashboard.php'); } else { echo 'There has been an error.'; }
What do you need in order to use the Session
First things first. Before we can use the super global to create a key value pair with our data, we need to use session_start()
. This routine allows us to bring the super global forward so we can use it accordingly. It’s a good practice to include the session_start within the code block that you want to set up the session to avoid starting it without populating it. There’s a possibility that the condition will return false and we don’t want the session to be open without having any data in it. Once we set up the session, we usually want to redirect the user to the corresponding page of choice. We do this by using header()
What if now the use closes the dashboard page and navigates the web for a period of time. In case the user returns we need to be able to know if has already logged in before so we can move him/her directly to the main page. We also need to make sure that no other user can access the corresponding URL without first logging into the application. What we need here is what we call a page guard. To create a page guard we just need to check for that $_SESSION['user']
record that we set up earlier on.
session_start(); if (!isset($_SESSION['user'])) { header('location: login.php'); } else { $user_data = $_SESSION['user']; } echo 'Email: ' . $user_data['email'];
If the key ‘user’ doesn’t exist in the $_SESSION super global, it means that either the session’s expired or the user’s not logged in. The moment the condition checks true, we redirect the user to the login page otherwise we create a variable to store the session data so we can display it on the page. But what happens when the user wants to log out? That’s the easiest case to account for. You only need to enable the session usage, destroy the session and then redirect the user to his/her mary way.
session_start(); session_destroy(); header('location: home.php');