PHP Unconference Europe 2015

Basic usage

Note:

As of PHP 4.1.0, $_SESSION is available as a global variable just like $_POST, $_GET, $_REQUEST and so on. Unlike $HTTP_SESSION_VARS, $_SESSION is always global. Therefore, you do not need to use the global keyword for $_SESSION. Please note that this documentation has been changed to use $_SESSION everywhere. You can substitute $HTTP_SESSION_VARS for $_SESSION, if you prefer the former. Also note that you must start your session using session_start() before use of $_SESSION becomes available.

The keys in the $_SESSION associative array are subject to the same limitations as regular variable names in PHP, i.e. they cannot start with a number and must start with a letter or underscore. For more details see the section on variables in this manual.

If register_globals is disabled, only members of the global associative array $_SESSION can be registered as session variables. The restored session variables will only be available in the array $_SESSION.

Use of $_SESSION (or $HTTP_SESSION_VARS with PHP 4.0.6 or less) is recommended for improved security and code readability. With $_SESSION, there is no need to use the session_register(), session_unregister(), session_is_registered() functions. Session variables are accessible like any other variables.

Example #1 Registering a variable with $_SESSION.

<?php
session_start
();
// Use $HTTP_SESSION_VARS with PHP 4.0.6 or less
if (!isset($_SESSION['count'])) {
  
$_SESSION['count'] = 0;
} else {
  
$_SESSION['count']++;
}
?>

Example #2 Unregistering a variable with $_SESSION and register_globals disabled.

<?php
session_start
();
// Use $HTTP_SESSION_VARS with PHP 4.0.6 or less
unset($_SESSION['count']);
?>

Caution

Do NOT unset the whole $_SESSION with unset($_SESSION) as this will disable the registering of session variables through the $_SESSION superglobal.

Warning

You can't use references in session variables as there is no feasible way to restore a reference to another variable.

If register_globals is enabled, then each global variable can be registered as session variable. Upon a restart of a session, these variables will be restored to corresponding global variables. Since PHP must know which global variables are registered as session variables, users need to register variables with session_register() function. You can avoid this by simply setting entries in $_SESSION.

Caution

Before PHP 4.3.0, if you are using $_SESSION and you have disabled register_globals, don't use session_register(), session_is_registered() or session_unregister(). Disabling register_globals is recommended for both security and performance reasons.

If register_globals is enabled, then the global variables and the $_SESSION entries will automatically reference the same values which were registered in the prior session instance. However, if the variable is registered by $_SESSION then the global variable is available since the next request.

There is a defect in PHP 4.2.3 and earlier. If you register a new session variable by using session_register(), the entry in the global scope and the $_SESSION entry will not reference the same value until the next session_start(). I.e. a modification to the newly registered global variable will not be reflected by the $_SESSION entry. This has been corrected in PHP 4.3.0.

add a note add a note

User Contributed Notes 4 notes

up
14
AlexFBP
1 year ago
Regardless, if you need to set the header 'Location:' before closing the session; explicitly close the php script with "exit()" or "die()" functions. Remember that when a php script ends, the session automatically are going to be closed.
up
-3
guy at syntheticwebapps dot com
1 year ago
Despite the warning about not being able to use references inside the session space, I've done it in the past and apparently completely successfully. That is, I can do something like this:

<?php
session_start
();
if (!
$_SESSION['favorite']) {
   
$_SESSION['cow'] = "Elsie";
   
$_SESSION['favorite'] =& $_SESSION['cow'];
    echo
"We set cow = '$_SESSION[cow]' and favorite =& cow ($_SESSION[favorite]).<br/>Reload the page to see if both change when one changes later.<br/>";
} else {
    echo
"Having re-entered the session after initial settings were made: cow = $_SESSION[cow] and favorite = $_SESSION[favorite].<br/>";
   
$_SESSION['cow'] = "Bessie";
    echo
"We reassigned cow = $_SESSION[cow] and our restored reference variable favorite = $_SESSION[favorite]<br/>Note the presence of the &s in the var_dump below.<pre>";
   
var_dump($_SESSION);
    echo
"</pre><br/>If you reload, the test will begin again.";
    unset(
$_SESSION['cow'], $_SESSION['favorite']);
   
session_destroy();
}
?>
yields the following after the second request:

Having re-entered the session after initial settings were made: cow = Elsie and favorite = Elsie.
We reassigned cow = Bessie and our restored reference variable favorite = Bessie
Note the presence of the &s in the var_dump below.
array(2) {
  ["cow"]=>
  &string(6) "Bessie"
  ["favorite"]=>
  &string(6) "Bessie"
}
If you reload, the test will begin again.

I've found this ability very useful and storage efficient in the session data.
up
-3
jpleveille at webgraphe dot com
2 years ago
As mentioned in the documentation, using session_write_close() shuts down the session. It is particularly useful if you want to use header('Location: SOMEURL'); to a URL within the same scope of the current script, that will load the session. Why?

When you use this header directive, the browser is requested to redirect the user to the given URL. If that URL is in the scope of the script where header() is called (let's say, same URL), the requested URL "COULD" load the session BEFORE it has actually been shut down in the previous script, and you might end up with the session from the previous request, reverting all modifications to session in the the last script.

<?php
session_start
();

if (!isset(
$_SESSION['hello']))
{
 
$_SESSION['hello'] = 'world';

 
session_write_close();
 
// session is now closed, it's safe to redirect
  // if not closed, $_SESSION['hello'] may not be set properly
  // when loading the page again
  // (in this very case, calls to this script could loop for a while)
 
header('Location: ' . $_SERVER['PHP_SELF']);
}
?>
up
-10
eddie at onefoldmedia dot com
9 months ago
If a session is not saving and you have verified that session_start() is being called, then double check capitalization. $_session can store variables but will not be treated like a session or cause an error.
To Top