Articles: 843 | Categories: 148   
   
   
Home Articles Contact Us
 
Categories
 
Php
Asp.Net
C#
Javascript
Css
 
 
 
News section
 
UT
This site is under testing at the moment so please visit us after a sh...
Testing

Welcome to my siteWelcome to my siteWelcome to my site

 
 
Sessions (0 Comments)
Admin: Posted Date: March 3, 2010

This chapter describes: What is a session. How use session in a PHP script. A session test with 3 scripts. How session ID can be managed without cookies and where is session data stored.

Sessions

This chapter describes:

  • What is a session.
  • How use session in a PHP script.
  • A session test with 3 scripts.
  • How session ID can be managed without cookies.
  • Where is session data stored.

What is a Session?

Session: An abstract concept to represent a series of HTTP requests and responses exchanged between a specific Web browser and a specific Web server. Session concept is very useful for Web based applications to pass and share information from one Web page (request) to another Web page (request).

Since the current design of HTTP protocol does not support session concept, all Web server side scripting technologies, including PHP, have designed their own way to support session concept. The key design element of session support is about how to identify a session and how to maintain the session ID (identification). One common way to maintain the session ID is use the cookie technology. The following diagram shows you how to do this: 

           Server                Browser
ID created  | <-- Request #1  --- |
| --- Response #1 --> | ID kept as cookie
| <-- Request #2  --- | ID send back to server
| --- Response #2 --> |
| <-- Request #3  --- | ID send back to server
| --- Response #3 --> |
|     ......          |

The session concept should be managed by the server. When the first request comes from a browser on a client host, the server should create a new session, and assigns a new session ID. The session ID will be then send back to the same browser as a cookie. The browser will remember this ID, and send the ID back to the server in the subsequent requests. When the server receives a request with a session ID in them, it knows this is a continuation of an existing session.

When the server receives a request from a browser on a new client host (request without a session ID), the server should not only create a new session ID, it should also create a new session object associated with the new session ID. This session object should become the storage place for different requests of the same session to store and share information.

If there is no subsequent request coming back for a long time for a particular session ID, that session should be timed out. After the session has been timed out, if the browser comes back again with the associated session ID, the server should give an invalid session error.

PHP's Session Support

Like JavsServer Page (JSP), PHP manages the session ID with as a cookie, a GET variable, or a POST variable. It offer a built-in array as the session object, and a number of built-in functions to allow the PHP script to interact with the session:

  • $_SESSION - A built-in array to store and share variables for the session.
  • session_start() - A built-in function to create a new session or resume an existing session based on the current session id that's being passed via a request, such as GET, POST, or a cookie.
  • session_name() - A built-in function to set and get the session name.
  • session_id() - A built-in function to set and get the session ID.
  • session_destroy() - A built-in function to destroy all variables stored in $_SESSION.

Session Test Scripts - SessionPageN.php

To help testing the session concept, I wrote 3 PHP scripts.

SessionPage1.php: 

<?php # SessionPage1.php
# Copyright (c) 2002 by Dr. Herong Yang, http://www.herongyang.com/
# 
session_start();
$quantity = 3;
$_SESSION['quantity'] = $quantity;
if (isset($_SESSION['count'])) {
$count = $_SESSION['count'];
} else {
$count = 0;
}
$count++;
$_SESSION['count'] = $count;
#   
print "<pre>\n";
print "\nI am buying $quantity PHP books.\n";
print "\n<a href=SessionPage2.php>Next</a>\n";
print "\nCounter = $count\n";
print "Session name = ".session_name()."\n";
print "Session id = ".session_id()."\n";
# 
print "\nContents of \$_GET:\n";
foreach ($_GET as $k => $v) {
print "   $k = $v\n";
}
# 
print "\nContents of \$_POST:\n";
foreach ($_POST as $k => $v) {
print "   $k = $v\n";
}
# 
print "\nContents of \$_COOKIE:\n";
foreach ($_COOKIE as $k => $v) {
print "   $k = $v\n";
}
print "</pre>\n";
?>

 

SessionPage2.php: 

<?php # SessionPage2.php
# Copyright (c) 2002 by Dr. Herong Yang
# 
session_start();
$quantity = $_SESSION['quantity'];
$price = 9.99;
$_SESSION['price'] = $price;
$count = $_SESSION['count'];
$count++;
$_SESSION['count'] = $count;
#
print "<pre>\n";
print "\nI am buying $quantity PHP books.\n";
print "The unit price is $price per book.\n";
#
print "\n<a href=SessionPage3.php>Next</a> ";
print " <a href=SessionPage1.php>Prev</a>\n";
print "\nCounter = $count\n";
print "Session name = ".session_name()."\n";
print "Session id = ".session_id()."\n";
# 
print "\nContents of \$_GET:\n";
foreach ($_GET as $k => $v) {
print "   $k = $v\n";
}
# 
print "\nContents of \$_POST:\n";
foreach ($_POST as $k => $v) {
print "   $k = $v\n";
}
# 
print "\nContents of \$_COOKIE:\n";
foreach ($_COOKIE as $k => $v) {
print "   $k = $v\n";
}
print "</pre>\n";
?>

SessionPage3.php: 

<?php # SessionPage3.php
# Copyright (c) 2002 by Dr. Herong Yang
# 
session_start();
$quantity = $_SESSION['quantity'];
$price = $_SESSION['price'];
$total = $quantity * $price;
$count = $_SESSION['count'];
$count++;
$_SESSION['count'] = $count;
#
print "<pre>\n";
print "\nI am buying $quantity PHP books.\n";
print "The unit price is $price per book.\n";
print "The total price is $total.\n";
#
print "\n<a href=SessionPage2.php>Prev</a>\n";
print "\nCounter = $count\n";
print "Session name = ".session_name()."\n";
print "Session id = ".session_id()."\n";
# 
print "\nContents of \$_GET:\n";
foreach ($_GET as $k => $v) {
print "   $k = $v\n";
}
# 
print "\nContents of \$_POST:\n";
foreach ($_POST as $k => $v) {
print "   $k = $v\n";
}
# 
print "\nContents of \$_COOKIE:\n";
foreach ($_COOKIE as $k => $v) {
print "   $k = $v\n";
}
print "</pre>\n";
?>

If you run http://localhost/SessionPage1.php, you will get: 

I am buying 3 PHP books.
Next
Counter = 1
Session name = PHPSESSID
Session id = o9oipjgc4r3fqmfk8mlldl5sl5
Contents of $_GET:
Contents of $_POST:
Contents of $_COOKIE:

If click "Next" on the first page, you will be running http://localhost/SessionPage2.php, and you will get: 

I am buying 3 PHP books.
The unit price is 9.99 per book.
Next  Prev
Counter = 2
Session name = PHPSESSID
Session id = o9oipjgc4r3fqmfk8mlldl5sl5
Contents of $_GET:
Contents of $_POST:
Contents of $_COOKIE:
PHPSESSID = o9oipjgc4r3fqmfk8mlldl5sl5

If click "Next" on the second page, you will be running http://localhost/SessionPage3.php, and you will get: 

I am buying 3 PHP books.
The unit price is 9.99 per book.
The total price is 29.97.
Prev
Counter = 3
Session name = PHPSESSID
Session id = o9oipjgc4r3fqmfk8mlldl5sl5
Contents of $_GET:
Contents of $_POST:
Contents of $_COOKIE:

PHPSESSID = o9oipjgc4r3fqmfk8mlldl5sl5

As you can see, the session concept is working. Several points should be noted here:

  • Data can be stored into the session in one page, and retrieve it in another page. For example, the quantity is stored into the session in the first page, and retrieved in the second and third page.
  • The session name is a string defined in the php.ini file.
  • The session ID is created by PHP, and managed as a cookie.
  • You can use the session object to manage a count of pages visited in a particular session. But you can not use the session object to manage a count of pages visited in all sessions. To manage information across versions, you need something called application object provided in Active Server Page (ASP)

Managing Session ID without Cookie

PHP can also manage session IDs without using the cookie technology. To do this, we need to modify \php\php.ini to stop using cookie and start transparent session id: 

session.use_cookies = 0
session.use_trans_sid = 1

Now if you re-run http://localhost/SessionPage1.php, you will get: 

I am buying 3 PHP books.
Next
Counter = 1
Session name = PHPSESSID
Session id = mg04r204ctuloo2uegmih14ri5
Session module = files
Contents of $_GET:
Contents of $_POST:
Contents of $_COOKIE:

If click "Next" on the first page, you will be running http://localhost/SessionPage2.php, and you will get: 

I am buying 3 PHP books.
The unit price is 9.99 per book.
Next  Prev
Counter = 2
Session name = PHPSESSID
Session id = mg04r204ctuloo2uegmih14ri5
Contents of $_GET:
PHPSESSID = mg04r204ctuloo2uegmih14ri5
Contents of $_POST:
Contents of $_COOKIE:

If click "Next" on the second page, you will be running http://localhost/SessionPage3.php, and you will get: 

I am buying 3 PHP books.
The unit price is 9.99 per book.
The total price is 29.97.
Prev
Counter = 3
Session name = PHPSESSID
Session id = mg04r204ctuloo2uegmih14ri5
Contents of $_GET:
PHPSESSID = mg04r204ctuloo2uegmih14ri5
Contents of $_POST:
Contents of $_COOKIE:

A couple of interesting things happened here:

  • If you ask PHP to use transparent session ID management, it will modify all the links to include the session ID as part of the URL. See the source of the first page in the browser, you will see the ULR of "Next" button as href=SessionPage2.php?PHPSESSID=mg04r204ctuloo2uegmih14ri5.
  • The outputs show that now the session ID is stored in $_GET.
  • Since the session ID in the URL field of the browser, everyone can see it. Not so secure.

Where Is Session Data Stored?

Question, where does PHP store the session data? The answer is not so obvious.

Since I am running PHP in CGI mode, PHP pages are running with individual instances of PHP executables. So there is no easy to store session data in memory and share it between PHP pages. If not stored in memory, the session data can be stored on hard disk and share it between PHP pages. Let's see if we can find where the session data is stored on the hard disk.

First run http://localhost/SessionPage1.php again: 

I am buying 3 PHP books.
Next
Counter = 1
Session name = PHPSESSID
Session id = mg04r204ctuloo2uegmih14ri5
Session module = files
Contents of $_GET:
Contents of $_POST:
Contents of $_COOKIE:

Then use Windows find tool to search for file names with "mg04r204ctuloo2uegmih14ri5". No surprise, you will get \windows\temp\sess_mg04r204ctuloo2uegmih14ri5. Open this file in a text editor, you will see: 

quantity|i:3;count|i:1;

The file format is so simple, session data is stored as clear text, with ";" as delimiters. If you want to change where the data is stored, you can modify \php\php.ini with: 

session.save_path = "/tmp"

 

 

 
 
Add a Comment:
 
(You must be signed in to comment on an article. Not a member? Click here to register)
   
Title:

Comments:
 
   
 
 
 
 
 
Expert Authors
 
1268829389Image016.jpg  
1272104937professional.jpg
 
 
Home | About us | Contact us | Advertisement | Terms of use