Maintaining state with PHP4 sessions
April 29, 2002
|
HTTP as a protocol is stateless, which doesn't make it easy for
a developer. For example, your web server sends out a page to
someone ordering from an online shop, and then forgets all about
it. A few seconds later, the same person sends another request,
ordering another item. As far as the web server is concerned, it
could be an entirely different person. So to make sure the right
orders are associated with the right person, a developer has to
employ some sneaky tricks. Before PHP4, you could have used
something like
PHPLIB for session management.
But PHP4 comes with a complete set of sessioning functions.
This article explains how to use them.
|
The concept
In order for an online store to keep track of what's in whose
shopping trolley, the system needs to know which user is making
specific requests. After users log in, they would get lost amongst
all the other users if you didn't keep track of their session. By
assigning a unique value to this user, the system can know who it
is without having them log in on every page.
By default, PHP4 uses cookies. This is fine for most users, but
of course not all users have cookies turned on. To ensure all
users are covered, a unique session ID is also sent along with
every request. For example, someone browses from page1.php, to
page2.php. page1.php assigns a unique session id, for example
fb40ab44b7fa909525d723dd7d04faac. The reason it's so long is to
ensure that no two people are assigned the same session id at
the same time.
session_start() and session_id()
The PHP function to start a session is the aptly named
session_start(). It has to be called by every page
where you want sessioning enabled. To see what session_id
PHP has assigned, the function session_id is used.
Look at the following script: If cookies are disabled on your
browser, enable them for now, otherwise these next few examples
will not work
page1.php
<?php
session_start();
print "your session id is: ".session_id();
?>
If you hit refresh a few times, and assuming you've got cookies
enabled, you'll see that the number remains the same. As simple
as that and big brother knows it's you. Remember that HTTP is a
stateless protocol, so every time you reload the page, it's an
entirely different transaction for the web server. The PHP
functions have added the magic to keep track.
Be careful though - as session_start() sets the http
headers, you cannot output anything before you call the function.
If you so much as output a tab before you call the function,
you'll get an error. For example,
page1_2.php
oops - this text shouldn't be here
<?php
session_start();
print "your session id is".session_id();
?>
This will give you an error such as:
Warning: Cannot send session cache limiter - headers already sent
(output started at /www/htdocs/page1.php:2)
in /www/htdocs/page1.php on line 3
Note:Color coded lines have been split for display purposes
It's only output (ie before the <?php) where you cannot even
put the whitespace. Whitespace inside the php tags is treated in
the normal way - it's ignored. So the following will work
properly:
page1_3.php
<?php // any normal php comments or whitespace can go here
session_start();
print "your session id is".session_id();
?>
Contents:
Session Variables
Using session ID's
Destroying Sessions and Session Variables
Encoding session variables
Security
All of the scripts from this tutorial
Maintaining state with PHP4 sessions
Session Variables
|
