HTTP was designed to be as open as possible but the drawback is that there is no persistence of variables across web requests.
When a request is sent to a web server for a resource, the server doesn't know or care if the request comes from someone already on the server or from someone logging in from outside.
Therefore if a web site needs to maintain state, and allow data to be shared across pages, HTML pages won't do it.
Using a Query String
PHP does allow variables to be passed from page to page using a query string as in the example below.
In some cases this is appropriate, however it's not very convenient where lot's of variables are involved and it's also not secure since the query string shows in the browser's address box.
Using Session Variables
A more elegant and secure solution is to use PHP session variables. Sessions are like server-side cookie files that store variables that can be read from, or written to, by PHP scripts.
Each session file is unique to the user request that created it and can only be accessed by subsequent requests from the same user.
This means that variable values can be unique to each user allowing passwords etc. to be passed from script to script.
Starting a Session
Before any session operations can be carried out, including reading from and writing to session variables, a session must be started. This will allow session variables to hold values unique to each user.
Starting a Session
<?php
session_start();
?>
Note: session_start() MUST appear before session variables are accessed and on every page that they are required to be accessed.
Using session_start() does one of two things.
If the user does not already have a session, it creates a new session.
If the user does already have a session it connects to the existing session file.
When a session is created, PHP session management generates a session identifier that consists of a random 32 hex digit string and creates an empty session file on the server with the name sess_ followed by the session identifier.
It also includes a set-cookie in the response and a session cookie in the browser with the value of the session identifier.
This means that any subsequent request to the server will include this session identifier allowing PHP to connect to the appropriate session file.
Creating Session Variables
To create a session variable session_register("variable_name") is used where variable_name is the name of the variable to be created.
The code above first connects to the existing session (using the session identifier from the user's browser that is included with the request) or creates a new session.
It then creates two session variables and sets their values.
Once a session variable has been registered it can then be used like any other PHP variable.
Updating Session Variables
If you update a session variable within a script there's no need to specifically update the session file, session management does this automatically before the script ends.
In the example above the session variables are updated in the same way as if they were normal PHP variables except that session_start() is used to connect to the session file.
Session variables are available to any PHP script that connects to the session using session_start() at the beginning of the script.
Destroying Session Variables
Session variables can be destroyed by using session_unregister();
In many cases a similar result can be achieved by using JavaScript cookies, however PHP sessions have some advantages.
The session files are on the server, not on the user's hard drive, so are less easily tampered with.
PHP session variables are immediately available using session_start() whereas JavaScript cookies require scripting to encode and decode the cookie string.
PHP sessions will work even if the user has JavaScript cookies disabled.
Free Web Design Tutorials
Previous - File Functions
Session Variables
