Home > Articles

PHP and the Web

  • Print
  • + Share This
This chapter is from the book

This chapter is from the book


One common use of cookies, and one of the main reasons behind their inception, is to maintain state. Stated differently, cookies allow you to associate separate HTTP transactions together by identifying a specific client.

If you set a cookie with a unique identifier, you can store information about the client on the server, and on the next request from that same client, you can use the cookie to identify the client and fetch the data that you stored. This technique is known as session management, and it relies on the ability to maintain state.

PHP makes all of this easy with its built-in sessions. To initiate PHP's sessions, simply include the following function call on any PHP page:


If you are using the default php.ini, this function requires PHP to manipulate some HTTP headers, so you must call it prior to any output. After you have called this function, you can simply use the $_SESSION superglobal array to store and access session variables. (For PHP versions prior to 4.1.0, $_HTTP_SESSION_VARS must be used instead.) For example, the following code sets a session variable named foo:

$_SESSION['foo'] = 'bar';

PHP takes care of propagating the session identifier (the unique identifier used to distinguish each client from any other) in a cookie or on the URL, depending on your php.ini settings, and it also takes care of storing and retrieving the session data.

Quite a few directives in php.ini affect sessions. The most notable ones are as follows:

  • session.save_path—This indicates the directory in which PHP will store session data.

  • session.use_cookies—This is a Boolean that indicates whether PHP will use cookies to propagate the session identifier.

  • session.use_only_cookies—This is a Boolean that indicates whether PHP will only check cookies for a session identifier (and not the URL).

  • session.name—The name of the session (also used as the name of the session identifier).

  • session.auto_start—This is a Boolean that indicates whether PHP should always enable session management, allowing you to avoid the call to session_start().

  • session.cookie_lifetime, session.cookie_path, session.cookie_domain—These correspond to the attributes used in the Set-Cookie header for the session identifier.

  • session.use_trans_sid—This is a Boolean that indicates whether PHP should dynamically choose whether to propagate the session identifier via cookies or the URL, depending on the user's preferences. If cookies are enabled, PHP will use a cookie; otherwise, it will use the URL. On the first page, PHP will use both methods since it cannot yet determine whether the user's preferences allow cookies (recall the previous discussion on cookies).

By default, PHP stores session data on the filesystem. If you want to modify this behavior, you can create your own session-handling functions for opening, closing, reading, writing, deleting, and garbage collection. To instruct PHP to use your functions for these session-related tasks, use session_set_save_handler() as follows:

session_set_save_handler ('myopen', 'myclose', 'myread', 'mywrite', 'mydelete',

This gives you complete flexibility over the behavior of the session management features, and you still use sessions the same way (session_start() and using $_SESSION). Thus, any existing code that uses standard session features will still work as expected.

  • + Share This
  • 🔖 Save To Your Account