Now, that's all fair enough, but what can you do with it?
If you're using a server-side script to generate pages, then quite a bit. You can take information from a posted form, or in the query string, and add it to the session data. You can then retrieve this information and redisplay it , or save it in the database. You can remove information from the session data, and modify it. And you can do this freely within your scripts.
By default, PHP stores session data in files, although it can make us of databases and there are a number of functions that can be used to enhance session handling in scripts. For beginners, though, the default handling is usually enough.
In PHP, there is one initial requirement for using sessions. Every page must call the session_start() function before any information is sent to the client from the server, and before you can actually access the session data.
After that is done, the session data is accessed with the $_SESSION superglobal array.
Typically, I make sure that one of the first things that happen in my PHP scripts is the inclusion of a common file which does all of the things that must happen before the page can be created.
So, in the file "index.php", for example, I would have something like:
<?php // index.php require_once('/includes/common.php'); // page code goes below here ?>
And then in my common file, I would have:
<?php // includes/common.php session_start(); // other necessary things for startup here... ?>
There are actually a lot of settings in the PHP configuration itself which affect session behaviour - but the out-of-the-box settings are typically enough for most uses. There will be a more detailed article on PHP configuration at a later date.
This is about the simplest example of using sessions:
<?php // index.php require_once('/includes/common.php'); // page code goes below here $page_output = ''; if (isset($_GET['forgetme'])) { if (isset($_SESSION['username'])) { unset($_SESSION['username']); } } if (isset($_POST['username'])) { $_SESSION['username'] = $_POST['username']; } if (isset($_SESSION['username'])) { $page_output .= '<p>Hello ' . htmlentities($_SESSION['username']) . '!</p>'; if (isset($_GET['remember'])) { $page_output .= '<p>See, I told you I would remember you</p>'; } $page_output .= '<p>Click <a href="index.php?remember=true">here</a> and I will remember who you are</p>'; $page_output .= '<p>Click <a href="index.php?forgetme=true">here</a> and I will forget you</p>'; } else { $page_output .= '<form action="index.php" method="post">'; $page_output .= '<label for="fm_username">Enter Username</label>:'; $page_output .= '<input type="text" id="fm_username" name="username" />'; $page_output .= '<input type="submit" value="submit" />'; $page_output .= '</form>'; } echo $page_output; ?>
So, we access the session variables as part of the $_SESSION superglobal. The example also uses $_GET and $_POST in various guises in order to control the actual session data.
When a user opens the page for the first time, they are presented with the form:
$page_output .= '<form action="index.php" method="post">'; $page_output .= '<label for="fm_username">Enter Username</label>:'; $page_output .= '<input type="text" id="fm_username" name="username" />'; $page_output .= '<input type="submit" value="submit" />'; $page_output .= '</form>';
This is because the check for the session value we are interested in (namely the username) has turned up false:
if (isset($_SESSION['username'])) {
Then, when the form is submitted, the script picks up the username and writes it to the session:
if (isset($_POST['username'])) { $_SESSION['username'] = $_POST['username']; }
Now, everytime the user loads the page with the "remember" link, the script pulls the information back out again:
if (isset($_SESSION['username'])) { $page_output .= '<p>Hello ' . htmlentities($_SESSION['username']) . '!</p>'; if (isset($_GET['remember'])) { $page_output .= '<p>See, I told you I would remember you</p>'; } $page_output .= '<p>Click <a href="index.php?remember=true">here</a> and I will remember who you are</p>'; $page_output .= '<p>Click <a href="index.php?forgetme=true">here</a> and I will forget you</p>'; }
This would be available even if the user now opened another page on the same site (you don't even need the remember parameter) - so long as you call session_start() at the top of the script (which you will be doing if you always include the common.php file).
Finally, we manually destroy the username when the user clicks to forget:
if (isset($_GET['forgetme'])) { if (isset($_SESSION['username'])) { unset($_SESSION['username']); } }
Of course, the session is killed by the server after a time limit (24 minutes is the default), too.