Topic outline

    • HTTP is a stateless protocol. The protocol has no built-in way of maintaining state between two transactions. When a user requests one page, followed by another, HTTP does not provide a way for us to tell that both requests come from the same server. The idea of session control is to be able to track a user during a single session on a website.


      BASIC SESSION FUNCTIONALITY

      Sessions in PHP  are driven by a unique SESSION ID, a cryptographically random number. The session ID  is generated by PHP and stored on the client side for the lifetime of a session.


      IMPLEMENTING SIMPLE SESSIONS

      The basic steps of using sessions are

      1) Starting a session

      2) Registering session variables

      3) Using session variables.

      4) Deregistering variables and destroying the session.


      STARTING A SESSION

      There are two ways to start a session

      The first, and simplest, is to begin a script with a call to the session_start() function:

      session_start();

      This function checks to see whether there is already a current session. If not, it will create one, providing access to the superglobal $_SESSION array. If a session already exists, session_start() loads the registered session variables so that you can use them. 

      The second way you can begin a session is to set PHP to start one automatically when someone comes to your site. You can do this by using the session.auto_start option in your php.ini file; 


      REGISTERING SESSION VARIABLES

       session variables are stored in the superglobal $_SESSION array. To create a session variable, you simply set an element in this array, as follows:

      $_SESSION['myvar'] = 5;


      The session variable you have just created will be tracked until the session ends or until you manually unset it. The session may also naturally expire based on the session.gc_maxlifetime setting in the php.ini file.


      USING SESSION VARIABLES

      To bring session variables into scope so that they can be used, we must first start a session calling session_start(), as previously mentioned. we can then access the variable via the $_SESSION superglobal array—for example, as $_SESSION['myvar'].When we are using an object as a session variable, it is important that you include the class definition before calling session_start() to reload the session variables.

       

      UNSETTING VARIABLES AND DESTROYING THE SESSION

      When  we finish with a session variable, we can unset it. we can do this directly by unsetting the appropriate element of the $_SESSION array, as in this example:

      unset($_SESSION['myvar']);


      CREATING A SIMPLE SESSION EXAMPLE

      <?php

      session_start();

      $_SESSION['session_var'] = "Hello world!";

      echo 'The content of '.$_SESSION['session_var'].' is '

       .$_SESSION['session_var'].'<br />';

      ?>

      <a href="page2.php">Next page</a>

      The following code demonstrate the use of session

       <html> 

      <head>

       <title>Session</title> 

      </head>

       <body>    

       <?php  session_start();  

      echo "Welcome ".$_SESSION["name"]."<br/>"; 

       echo "your Password:".$_SESSION["Password"];   

        ?> </body> </html> 


      The following code illustrates to keep track of how many times the visitor loaded the page by using session 

      <html> 

      <head>

       <title>php counter</title> 

      </head> 

      <body>   

      <?

      session_start(); 

       if(isset($_SESSION['counter'])) 

        {   

        $_SESSION['counter'] += 1; 

       }  else   

      {     $_SESSION['counter'] = 1;   } 

       echo "You have visited this page ".$_SESSION['counter']." time in this session";    

       ?> 

      </body> 

      </html> 


      PREVENTING SESSION HIJACKING 

      When SSL is not a possibility, we can further authenticate users by storing their IP address along with their other details by adding a line such as the following when you store their session:


      $_SESSION['ip'] = $_SERVER['REMOTE_ADDR']; 


      Then, as an extra check, whenever any page loads and a session is available, perform the following check. It calls the function different_user if the stored IP address doesn’t match the current one:


      if ($_SESSION['ip'] != $_SERVER['REMOTE_ADDR']) different_user();


      Of course, we need to be aware that users on the same proxy server, or sharing the same IP address on a home or business network, will have the same IP address. we can also store a copy of the browser user agent string (a string that developers put in their browsers to identify them by type and version), which might also distinguish users due to the wide variety of browser types, versions, and computer platforms. Use the following to store the user agent:


      $_SESSION['ua'] = $_SERVER['HTTP_USER_AGENT']; 


      And use this to compare the current agent string with the saved one:

      if ($_SESSION['ua'] != $_SERVER['HTTP_USER_AGENT']) different_user();