Until today, everything we code in PHP runs one time when we call the PHP file: variables are born, are used and die during the same page refresh. If I refresh the website again it will start all over again.
A session is an old concept. It is not only used in back-end web development. When you login your computer, you start a new session; everything you do during that session will be saved, and the next time you login to your computer, everything will be just how you left it.
The cool thing about sessions in PHP is that they allow you to save information on the server for hours or even days. They are the only way to have non-stateless applications: applications that can live for more than one single page refresh.
When you want to start either a new or a previously created session, you have to type session_start(); in your PHP file. This causes PHP to read the user’s session id and load the data into the RAM memory. Once loaded, it is accessible via the $_SESSION super global array. From there, you can modify the contents of $_SESSION.
Now that the session is available, we can assume that the session variables are available as well. You can work with them the same way you would use any other simple variable.
For Example: If we are implementing a Shopping Cart, we can store the list of products on a$_SESSION[‘products’] array. If the user adds a new product, we just add it to the array. We can print the list anytime.
It is good practice to close the session once you have finished updating the $_SESSION array. This will force PHP to save everything (just like the COMMIT in the database or in GIT).
Don’t worry! You can reopen the session whenever you want – either in the current or in the next page reload. If you want to fully destroy the session, you can call session_destroy();
☝ Note: session_start() cannot be called once an output has started. A warning will be displayed, and it is possible that the session could be lost. If you are seeing the error "Cannot send session cache limiter," check to make sure that no output is going to the browser. A common problem is an unwanted space or tab at the outsize of the PHP tags.
A good example of destroying a session is the typical "sign out" from any website. That will destroy all the session variables (cleaning any and all evidence that the user was ever there).
To destroy a session, all you need to do is the following:
Sessions seem like a pretty simple concept, and they are. But, you have to take this:
Timing-out sessions is a very important action if you are dealing with users logged into your website or application. If a user logs into your site in an Internet café and then leaves the café without logging out, how do you stop the next user on that computer from still having access to the previous user’s session? Well, for that, you can use the following code:
☝ The code ensures that if there is no activity for more than 600 seconds (10 minutes), the request is redirected to the logout page which would successfully logout the user.
The session_regenerate_id() function creates a new unique-ID to represent the current user’s session. This should be regenerated anytime important authentication action is performed – such as logging in or updating user profile data. Giving each session a new ID after such actions makes your application more secure by reducing the risk of a specific attack known as "Session Hijacking."
As previously mentioned, you should use session_destroy() once you don’t need to use the session anymore. This prevents attackers from hijacking the stale session (again, increasing the session-related security of your website).