Session Variables

Of course, there's much more to sessioning than just starting and assigning a session_id. PHP allows you to assign variables specific to a session. Take a look at the following:

<?php		
	session_start();
	$_SESSION["firstname"] = "michel";
		// recommended - used in version of PHP >4.1
	$HTTP_SESSION_VARS["initial"] = "J";
		// recommended for versions of PHP <4.0.6
	session_register("surname");		// least secure method
	$surname = "newman";
?>
<a href="page3.php">Click here</a> to go the next page.

There are 3 ways used here to set a session_variable. There's not much action to see here, but watch what happens when we go onto the next page.

<?php
	session_start();
	print "Your name is 
		".$_SESSION["firstname"]." ".$HTTP_SESSION_VARS["initial"].
		" $surname<br>";
	print '<b>Variables:</b><br> $firstname: '.
		$firstname. '<br>$_SESSION["firstname"]: '.
		$_SESSION["firstname"]. '<br>$initial: '.
		$initial. '<br>$HTTP_SESSION_VARS["initial"]: '. 
		$HTTP_SESSION_VARS["initial"].'<br>$surname: '. $surname;
?>

The variables are amazingly available to page3.php! And in a host of manners as well. A number of tutorials and books use the session_register() function, but that's the least secure method, and not recommended. I suggest you use one of the first 2 methods depending on your PHP version. In order to avoid confusion, I will stick with using the $_SESSION["varname"] format for now. It's the most modern and secure, and I suggest you get into the habit as well (if you can't use it because of your browser version, I suggest you download a newer version of PHP. A number of security bugs have been fixed recently. And if you're going to be using sessions for some kind of e-commerce site, you don't want to be too welcoming to the crackers!). Another problem with using session_register() is that the session variable is global in scope, so you need to be careful when setting it inside a function. For example, see how the following does not work:

<?php
function a_function($x,$y) {
	session_register("firstname");
	$firstname = $x;
	$_SESSION["surname"] = $y;
}
	session_start();
	$_SESSION["surname"] = "old jane";
	$firstname = "old john";
	a_function("new john","new jane");
?>
Go to the <a href="page5.php">next page</a>

<?php
	session_start();
	print "Your firstname is: 
		$firstname and your surname is: ".$_SESSION["surname"];
?>

All going well, we would hope to see "new john" and "new jane" displayed in page5.php. Unfortunately, we'd see "old john", as $firstname = $x (or new john) is inside the function, and therefore not the same as the global session variable we set to "old john". We have no such problem with $_SESSION, as this is automatically global in scope. "new jane" appears correctly.

Using session ID's

Unfortunately, cookies are not reliable. Those of you who have cookies disabled will have seen that none of the above examples work. We can't allow our users to escape so easily however! And this is where we need session ID's.

PHP4 creates a constant of the session ID named SID, which is available inside a session. By appending this to the end of a url, the session ID becomes available to the next page. The session_start() function will automatically pick up other SID or the cookie, depending which is used. The following 2 variations of the earlier scripts will show this in action. First disable cookies on your browser, forcing PHP to use session ID's:

<?php
	session_start();
	$_SESSION["first_name"] = "new john";
?>
View this link on your status bar before clicking it:
<a href='page7.php?<?=SID ?>'>page7.php</a>

<?php
	session_start();
	print "Your firstname is: ".$_SESSION["first_name"];
?>

Looking at the url in your browser's status bar, you'll see something like:
page7.php?PHPSESSID=4725a759778d1be9bdb668a236f01e01
And when you click on the link, you'll see that the session variable "new john" has been passed successfully to page7.php

Maintaining state with PHP4 sessions
Maintaining state with PHP4 sessions
Destroying Sessions and Session Variables