Welcome Guys !!
I am Ajay Jaiswal. Here i am going to write an article about the PHP Session.
Sessions are very important aspect of PHP application development. They enable us to keep track of the users visiting our application A PHP session variable is used to store information about, or change settings for a user session. Session variables hold information about one single user, and are available to all pages in one application.
$_SESSION is a special array used to store information across the page requests a user makes during his visit to your website or web application. The most fundamental way to explain what a sessions is like is to imagine the following scenario:You are working with an application. You open it, make some changes, and then you close it.
That is a session in it’s simplest form.
The example scenario is reminiscent of the process that happens when using a login system. The process can be extremely complicated or incredibly simple, as long as there is a value that persists between requests. Information stored in the session can be called upon at any time during the open session.
While there may be many users accessing the site at the same time, each with his own session, it’s thanks to unique IDs assigned and managed by PHP for each session that allows each user’s session to be available only to himself. Session information is stored on the server rather than the user’s computer (as cookie data is stored), which makes sessions more secure than traditional cookies for passing information between page requests.
In this article I’ll give you the low down on using sessions in PHP – how to create them, how to destroy them, and how to make sure they remain secure.
Using Sessions
Before you can to store information in a session, you have to start PHP’s session handling. This is done at the beginning of your PHP code, and must be done before any text, HTML, or JavaScript is sent to the browser. To start the session, you call the
session_start() function in your first file:
1
2
3
4
5
| <?php// start them engines!session_start();// store session data$_SESSION["username"] = "Callum"; |
session_start() starts the session between the user and the server, and allows values stored in$_SESSION to be accessible in other scripts later on.
In your second file, you call
session_start() again which this time continues the session, and you can then retrieve values from $_SESSION.
1
2
3
4
5
| <?php// continue the sessionsession_start();// retrieve session dataecho "Username = " . $_SESSION["username"]; |
This example is a very basic demonstration of storing and retrieving data in a session. In the first script, the value “Callum” was associated with the key “username” in the
$_SESSION array. In the second script, the information was requested back from the $_SESSION array using the key.$_SESSION allows you to store and retrieve information across the page requests of a user’s active browsing session.Ending a Session
As important as it is to begin a session, so it is to end one. Even though a session is only a temporary way to store data, it is very important to clean up after yourself to ensure maximum security when dealing with potentially sensitive information. It is also good practice and will avoid having a huge amount of stale session data sitting on the server.
To delete a single session value, you use the
unset() function:
1
2
3
4
| <?phpsession_start();// delete the username valueunset($_SESSION["username"]); |
To unset all of the session’s values, you can use the
session_unset() function:
1
2
3
4
| <?phpsession_start();// delete all session valuessession_unset(); |
Both examples only affect data stored in the session, not the session itself. You can still store other values to
$_SESSION after calling them if you so choose. If you wish to completely stop using the session, for example a user logs out, you use the session_destroy() function.
1
2
3
4
| <?phpsession_start();// terminate the sessionsession_destroy(); |
I highly recommended that when you are sure you no longer need the session that you destroy it using
session_destroy(), rather than just unsetting all of its values with session_unset(). If you just unset all the value, the session itself is still active and malicious code could give those sessions harmful values.Regenerate the Session ID
The
session_regenerate_id() function creates a new unique-ID for to represent the current user’s session. This should be regenerated time any important authentication action is performed, such as logging in or updating user profile data. Giving the sessions a new ID after such actions make your application more secure by reducing the risk of a specific attack known as “Session Hijacking.”
1
2
3
4
5
6
7
| <?phpsession_start();if ($_POST["username"] == "admin" && $_POST["password"] == sha1("password")) { $_SESSION["authorized"] = true; session_regenerate_id();} |
Destroy Sessions
As I previously mentioned, you should use
session_destory() once you don’t need to use the session any more. This stops attackers from hijack the stale session, again increasing the session-related security of your web site.
No comments:
Post a Comment