The $_SESSION variable

HTTP is a "stateless" protocol. It does not remember anything that went on before between a particular client and web site. We have seen that by using cookeis we can get the client computer to store information about interactions for us. However, this may not always be desireable, as there may be an unreasonable amount of information to pass back and forth, or it may be sensitive information.
PHP offers another way to save information: You may start a session for each visitor to your site, and php will assign a unique "session ID", set that as a cookie, and then accumulate all other information in an array named $_SESSION. This page is a test and example of how it works.

Welcome to the session test page

We are going to start a session with this form, and save the form data in the $_SESSION array, as well as some others.
Your name
The PHP pages that follow submitting are modified from the PHP documentation

How it works

You may start a "session", once started, you may use the super-global array $_SESSION much like the others you know, e.g. $_GET. The difference is that you can store values in this array, PHP will save them and they will be available to subsequent pages. The session (for each client) is identified by a cookie stored by the client, and it remains valid until the client's browser is closed, just like a normal cookie.

The session data, on the other hand, is stored at the server. [Ah, it is subject to "garbage collection" if unchanged for over 24 minutes.]

$_SESSION['name'] = $_GET['name'];
$_SESSION['favcolor'] = 'green';
$_SESSION['time'] = time();
echo '<br />Go on to <a href="session2.php">page 2</a>';

Note that the link to session2.php has no query string. Yet, it can retrieve the session data:


$name = $_SESSION['name'];
echo "Welcome to page #2 $name<br />";
echo '<br>Our favorite colour: ';
echo $_SESSION['favcolor']; // green
echo '<br>Your session started: ';
echo date('Y m d H:i:s', $_SESSION['time']);

Modifying the behaviour of your sessions, (php.ini options)

Many of the details of how sessions work are specified in a system file php.ini. These variables can be overridden using ini_set(). In particular:

session.cookie_lifetime = "0" Seconds until expires (0=until browser closes)
session.cookie_path = "/" Default, all of server

Now, on Osiris we do not want to interfere with one another's settings, so I have changed the default there to "", so the session will be limited to the directory in which the session is first started, and any subdirectories. Should you already be in a subdirectory when starting, you can override the path so it includes all your pages, as follows:


See the PHP documentation, session reference, for the complete list. Be aware that the cookie_lifetime is from its creation, so the default "0" is probably the safest.

Security warnings

A number of issues are raised in the documentation. Session ID's could be intercepted or used in some underhanded way by JavaScript, allowing access to the session data, which otherwise is safe on the server. Read the documentation before using really sensitive data.  That is best stored encrypted in your database anyhow.