PHP Tutorials - Herong's Tutorial Notes
Dr. Herong Yang, Version 2.21

Sessions

Part:   1  2  3 

PHP Tutorials - Herong's Tutorial Notes © Dr. Herong Yang

Non ASCII Characters with MySQL

Inputting Non ASCII Characters

Controlling Response Header Lines

HTTP Request Variables

Sessions

Using Cookies

PHP SOAP Extension

PHP SOAP Extension - Server

Directories, Files and Images

Using MySQL with PHP

... Table of Contents

(Continued from previous part...)

Managing Session ID without Cookie

PHP can also manage session IDs without using the cookie technology. To do this, we need to modify \php\php.ini to stop using cookie and start transparent session id: 

session.use_cookies = 0
session.use_trans_sid = 1

Now if you re-run http://localhost/SessionPage1.php, you will get: 

I am buying 3 PHP books.

Next

Counter = 1
Session name = PHPSESSID
Session id = mg04r204ctuloo2uegmih14ri5
Session module = files

Contents of $_GET:

Contents of $_POST:

Contents of $_COOKIE:

If click "Next" on the first page, you will be running http://localhost/SessionPage2.php, and you will get: 

I am buying 3 PHP books.
The unit price is 9.99 per book.

Next  Prev

Counter = 2
Session name = PHPSESSID
Session id = mg04r204ctuloo2uegmih14ri5

Contents of $_GET:
   PHPSESSID = mg04r204ctuloo2uegmih14ri5

Contents of $_POST:

Contents of $_COOKIE:

If click "Next" on the second page, you will be running http://localhost/SessionPage3.php, and you will get: 

I am buying 3 PHP books.
The unit price is 9.99 per book.
The total price is 29.97.

Prev

Counter = 3
Session name = PHPSESSID
Session id = mg04r204ctuloo2uegmih14ri5

Contents of $_GET:
   PHPSESSID = mg04r204ctuloo2uegmih14ri5

Contents of $_POST:

Contents of $_COOKIE:

A couple of interesting things happened here:

  • If you ask PHP to use transparent session ID management, it will modify all the links to include the session ID as part of the URL. See the source of the first page in the browser, you will see the ULR of "Next" button as href=SessionPage2.php?PHPSESSID=mg04r204ctuloo2uegmih14ri5.
  • The outputs show that now the session ID is stored in $_GET.
  • Since the session ID in the URL field of the browser, everyone can see it. Not so secure.

Where Is Session Data Stored?

Question, where does PHP store the session data? The answer is not so obvious.

Since I am running PHP in CGI mode, PHP pages are running with individual instances of PHP executables. So there is no easy to store session data in memory and share it between PHP pages. If not stored in memory, the session data can be stored on hard disk and share it between PHP pages. Let's see if we can find where the session data is stored on the hard disk.

First run http://localhost/SessionPage1.php again: 

I am buying 3 PHP books.

Next

Counter = 1
Session name = PHPSESSID
Session id = mg04r204ctuloo2uegmih14ri5
Session module = files

Contents of $_GET:

Contents of $_POST:

Contents of $_COOKIE:

Then use Windows find tool to search for file names with "mg04r204ctuloo2uegmih14ri5". No surprise, you will get \windows\temp\sess_mg04r204ctuloo2uegmih14ri5. Open this file in a text editor, you will see: 

quantity|i:3;count|i:1;

The file format is so simple, session data is stored as clear text, with ";" as delimiters. If you want to change where the data is stored, you can modify \php\php.ini with: 

session.save_path = "/tmp"

Conclusion

  • PHP can manage session IDs in two ways: as a cookie and as GET variable.
  • Managing sessions with cookies is much secure.
  • Session data is stored on hard disk permanently.
  • You must call session_start() at the beginning of the PHP script.
  • Session data is shared in an array called $_SESSION.

Part:   1  2  3 

Dr. Herong Yang, updated in 2006
PHP Tutorials - Herong's Tutorial Notes - Sessions