While you can store data using cookies, they come with security concerns. Since cookies reside on the user's computer, attackers can easily modify cookie content to inject potentially harmful data into your application, potentially causing issues.
Additionally, every time the browser requests a URL from the server, all cookie data for a website is automatically sent to the server within the request. This means if you have stored 5 cookies on a user's system, each 4KB in size, the browser needs to upload 20KB of data each time the user views a page, which can impact your site's performance.
These issues can be mitigated by using PHP sessions. Unlike cookies, PHP sessions store data on the server rather than on the user's computer. In a session-based environment, each user is identified through a unique number called a session identifier or SID. This unique session ID links each user to their own information on the server, such as emails, posts, etc.
Tip: Session IDs are randomly generated by the PHP engine, making them extremely difficult to guess. Additionally, because session data is stored on the server, it doesn't need to be sent with every browser request.
Before you can store any information in session variables, you need to initiate the session. To start a new session, just use the PHP session_start() function. This function will create a new session and generate a unique session ID for the user.
The following PHP code demonstrates how to start a new session:
<?php
// Starting session
session_start();
?>The session_start() function first checks if a session already exists by looking for the presence of a session ID. If it finds one, meaning the session is already started, it sets up the session variables. If not, it initiates a new session by generating a new session ID.
Note: You should call the session_start() function at the beginning of your script, before any output is sent to the browser. This is similar to how you handle setting cookies with the setcookie() function.
You can store your session data using key-value pairs in the $_SESSION[] superglobal array. This data remains accessible throughout the session's duration. Take a look at the script below, which initiates a new session and sets two session variables.
<?php
// Starting session
session_start();
// Storing session data
$_SESSION["firstname"] = "Peter";
$_SESSION["lastname"] = "Parker";
?>To retrieve the session data set in our previous example from any other page on the same web domain, simply start the session again with session_start() and then access the desired data using the corresponding key from the $_SESSION associative array.
<?php
// Starting session
session_start();
// Accessing session data
echo 'Hi, ' . $_SESSION["firstname"] . ' ' . $_SESSION["lastname"];
?>The PHP code in the above example produces the following output.
Note: If you're accessing session data within the same page, there's no need to start the session again since it has already been initiated at the top of the page.
To delete specific session data, unset the corresponding key in the $_SESSION associative array, as demonstrated in the example below:
<?php
// Starting session
session_start();
// Removing session data
if(isset($_SESSION["lastname"])){
unset($_SESSION["lastname"]);
}
?>However, to completely destroy a session, simply use the session_destroy() function. This function requires no arguments, and a single call will remove all session data.
<?php
// Starting session
session_start();
// Destroying session
session_destroy();
?>Note: Before using the session_destroy() function to terminate a session, ensure you recreate the session environment if it isn't already initialized by calling session_start(). This ensures there is a session to destroy.
Each PHP session has a timeout value, measured in seconds, that determines how long the session remains active without any user activity. You can modify this timeout duration by adjusting the session.gc_maxlifetime variable in the PHP configuration file (php.ini).