PHP Sessions
Managing user data across pages
🔐 What are PHP Sessions?
Sessions store user information on the server across multiple pages. Unlike cookies stored on user's computer, session data stays on the server making it more secure for sensitive information like login status and user preferences.
<?php
session_start();
$_SESSION['username'] = "John";
echo "Session started!";
?>
Session Operations
Starting Sessions
Use session_start() at the beginning of every page that needs session access. This function must be called before any output is sent to browser.
<?php
session_start();
?>Storing Data
Store values in $_SESSION superglobal array. Data persists across pages until session ends or is destroyed. Can store strings, numbers, arrays, and objects.
<?php
$_SESSION['user'] = "John";
$_SESSION['role'] = "admin";
?>Reading Data
Access session variables using $_SESSION array. Always check if variable exists before reading to prevent undefined index errors.
<?php
if(isset($_SESSION['user'])) {
echo $_SESSION['user'];
}
?>Destroying Sessions
End sessions using session_destroy() to remove all session data. Useful for logout functionality and clearing user information from server.
<?php
session_destroy();
?>🔹 Starting a Session
Always start session before using session variables:
<?php
// Start session (must be at the top of page)
session_start();
// Now you can use session variables
$_SESSION['username'] = "JohnDoe";
$_SESSION['email'] = "[email protected]";
$_SESSION['loggedin'] = true;
echo "Session started and variables set!";
?>Important Rules:
- Call session_start() before any HTML output
- Call it on every page that needs session access
- Only call it once per page
- Session data is stored on the server, not the client
🔹 Storing Session Variables
Save different types of data in sessions:
<?php
session_start();
// Store string
$_SESSION['name'] = "Alice";
// Store number
$_SESSION['age'] = 25;
// Store array
$_SESSION['cart'] = ["item1", "item2", "item3"];
// Store associative array
$_SESSION['user_data'] = [
'id' => 101,
'name' => 'Alice',
'role' => 'admin'
];
echo "All data stored in session!";
?>🔹 Reading Session Variables
Access session data on any page:
<?php
session_start();
// Check if session variable exists
if(isset($_SESSION['name'])) {
echo "Hello, " . $_SESSION['name'] . "!<br>";
} else {
echo "No user logged in.<br>";
}
// Display all session variables
echo "<h3>All Session Data:</h3>";
foreach($_SESSION as $key => $value) {
echo "$key: $value<br>";
}
?>Output:
Hello, Alice!
All Session Data:
name: Alice
age: 25
role: admin
🔹 Modifying Session Variables
Update existing session values:
<?php
session_start();
// Original value
$_SESSION['counter'] = 1;
// Update value
$_SESSION['counter'] = $_SESSION['counter'] + 1;
// Or use shorthand
$_SESSION['counter']++;
echo "Counter: " . $_SESSION['counter'];
?>🔹 Removing Session Variables
Delete specific session variables or all data:
<?php
session_start();
// Remove a specific variable
unset($_SESSION['username']);
// Remove multiple variables
unset($_SESSION['email'], $_SESSION['phone']);
// Remove all session variables (but keep session active)
session_unset();
// Destroy entire session
session_destroy();
echo "Session data removed!";
?>🔹 Practical Example: Login System
Complete login and logout system using sessions:
🔸 Login Page (login.php)
<?php
session_start();
// Check if already logged in
if(isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) {
header("Location: dashboard.php");
exit;
}
// Handle login
if(isset($_POST['login'])) {
$username = $_POST['username'];
$password = $_POST['password'];
// Verify credentials (simplified)
if($username == "admin" && $password == "pass123") {
$_SESSION['loggedin'] = true;
$_SESSION['username'] = $username;
$_SESSION['login_time'] = time();
header("Location: dashboard.php");
exit;
} else {
$error = "Invalid username or password!";
}
}
?>
<!DOCTYPE html>
<html>
<body>
<h2>Login</h2>
<?php if(isset($error)) echo "<p style='color:red'>$error</p>"; ?>
<form method="post">
Username: <input type="text" name="username" required><br>
Password: <input type="password" name="password" required><br>
<input type="submit" name="login" value="Login">
</form>
</body>
</html>🔸 Dashboard Page (dashboard.php)
<?php
session_start();
// Check if user is logged in
if(!isset($_SESSION['loggedin']) || $_SESSION['loggedin'] !== true) {
header("Location: login.php");
exit;
}
?>
<!DOCTYPE html>
<html>
<body>
<h2>Dashboard</h2>
<p>Welcome, <?php echo $_SESSION['username']; ?>!</p>
<p>You logged in at: <?php echo date("H:i:s", $_SESSION['login_time']); ?></p>
<a href="logout.php">Logout</a>
</body>
</html>🔸 Logout Page (logout.php)
<?php
session_start();
// Destroy all session data
session_unset();
session_destroy();
// Redirect to login
header("Location: login.php");
exit;
?>🔹 Practical Example: Shopping Cart
Simple shopping cart using sessions:
<?php
session_start();
// Initialize cart if not exists
if(!isset($_SESSION['cart'])) {
$_SESSION['cart'] = [];
}
// Add item to cart
if(isset($_GET['add'])) {
$item = $_GET['add'];
$_SESSION['cart'][] = $item;
echo "Added $item to cart!<br>";
}
// Remove item from cart
if(isset($_GET['remove'])) {
$index = $_GET['remove'];
unset($_SESSION['cart'][$index]);
$_SESSION['cart'] = array_values($_SESSION['cart']); // Reindex
echo "Item removed!<br>";
}
// Display cart
echo "<h3>Shopping Cart</h3>";
if(empty($_SESSION['cart'])) {
echo "Cart is empty.";
} else {
foreach($_SESSION['cart'] as $index => $item) {
echo "$item <a href='?remove=$index'>Remove</a><br>";
}
echo "<p>Total items: " . count($_SESSION['cart']) . "</p>";
}
?>
<h3>Products</h3>
<a href="?add=Laptop">Add Laptop</a><br>
<a href="?add=Mouse">Add Mouse</a><br>
<a href="?add=Keyboard">Add Keyboard</a>🔹 Session Configuration
Customize session behavior:
<?php
// Set session lifetime (in seconds)
ini_set('session.gc_maxlifetime', 3600); // 1 hour
// Set session cookie lifetime
ini_set('session.cookie_lifetime', 3600);
// Set custom session name
session_name('MyApp');
// Start session
session_start();
// Set session timeout manually
if(isset($_SESSION['last_activity'])) {
$inactive = time() - $_SESSION['last_activity'];
if($inactive > 1800) { // 30 minutes
session_unset();
session_destroy();
echo "Session expired!";
exit;
}
}
$_SESSION['last_activity'] = time();
?>🔹 Sessions vs Cookies
Sessions:
- ✅ Data stored on server (more secure)
- ✅ Can store large amounts of data
- ✅ Better for sensitive information
- ❌ Requires server resources
- ❌ Expires when browser closes (by default)
Cookies:
- ✅ Data stored on client (less server load)
- ✅ Can persist for long periods
- ✅ Works across browser sessions
- ❌ Limited to 4KB per cookie
- ❌ Less secure (visible to user)
🔹 Security Best Practices
Make sessions more secure:
<?php
// Regenerate session ID to prevent fixation attacks
session_start();
session_regenerate_id(true);
// Use secure session settings
ini_set('session.cookie_httponly', 1);
ini_set('session.cookie_secure', 1); // HTTPS only
ini_set('session.use_strict_mode', 1);
// Store user IP and user agent
$_SESSION['user_ip'] = $_SERVER['REMOTE_ADDR'];
$_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'];
// Verify on each request
if($_SESSION['user_ip'] != $_SERVER['REMOTE_ADDR'] ||
$_SESSION['user_agent'] != $_SERVER['HTTP_USER_AGENT']) {
session_destroy();
die("Session hijacking detected!");
}
?>