Date: 21 Jul 2010 Comments: 0

What the session is for…

Session data is suppose to hold some information about one particular visitor during his browsing session or even longer. Session data is right place where to store identification information or user after log in, information about his preferences how or what to show on the website, to store some information he fills up in forms so next time he doesn’t have to type it again and so on.

What the session is not for…

Session is not for caching information, I’ve seen programmers to put to session data of products or emails and stuff which is taken from database so it doesn’t have to be taken from DB again and again. This is great mistake. There are several caching technologies which should be used for this purpose.

How PHP session management works?

Session must be started every time you want to access session data. Session should be started before any output to the browser is send, this is due the fact that if user comes first time session id is generated for him and pushed to user’s browser in reply headers. Start of the session tells to PHP that it should start new or read existing session data. In the case that it is starting session PHP generate new session id and sends header to the browser of the visitor with request to store cookie with the session id on his computer. During script execution at the server side data is stored to the session. The data is always stored on the server under the session id. No data stored in the session is send to the user’s browser. Next time when user browser makes another request to server, on session start PHP automatically reads cookie data sent by the browser with the request. If there is session id, scripting language automatically reads data from server associated with current session id and it makes it available to the script. This data can be accessed or manipulated by super global variable $_SESSION.

What you can store in session?

Basically everything, basic type variables, arrays, objects. You should probably keep session in reasonable size.

What else I should know about session management?

• expiration time. This is very interesting due the fact that if you run more websites in one server and PHP is configured to store session in same folder which probably is, you’ll soon find out that setting expiration time in each project differently does not work well. This is because if website A has got 30 minutes expiration time and website B 60, any script which will run on website A will trigger garbage collector with settings to clear up all session older than 30 minutes. And because website B has stored its sessions in the same folder also these get deleted. So it is not enough to set expiration time, you need to care whether your session storage folder is used only by this website. Check out configuration of PHP to modify these values.
• multiple sessions. There is something called session name, session name is kind of name space for session. If you change it and start session, PHP won’t find session ID in cookies sent by browser which is associated with this session name. So it will generate new one and basically start new session under this session name. You can modify session data to what ever you like and than when ever script changes session name it will be present with different user session data, each time with data associated to particular session name. You can handle this way basically any number of sessions per user.
• session handler. PHP allows you to use different session handlers. These are for example handlers that will store session data instead of files to database. Or for high traffic websites data can be stored in memory storage e.g. Memcached. PHP allows you also write your own session handler if you have some special requirements.
• sessions data may not always be trusted. You have to understand that user session is tight to what session id browser sends to script. If you open 2 different browsers and come to same website, you’ll get in each of them new session id as these 2 browsers don’t know (or don’t want to know ;o) anything about each other. When you log in in each of them you get logged to the website twice with different ID. If you use user session for storing user information, or some limits, or some info whether user can or cannot do something anymore, you may get fool over by the user. So do not trust to what you insert to session it may be modified by same user having more sessions.
• session security. Session data are as secure as secure is session id. Session Id is stored in user side and is accessible by JavaScript. JavaScript code injected to your website, which is shown to some user can access cookies and send them over to third party. Once third party has hold of someone else session id, he can use it with requests to your website and your system will recognize user as genuine and threat him that way. So any private information and functionality may be exposed. Also unless you are forcing user to work on HTTPS using secured connection, all data transfered from user to server is in plain text form. so if there is someone able to listed to the conversation he can extract session id and abuse it again. These techniques are quite hard hacking attacks so if you are not using highly confidential information on your website then don’t bother. If yes, then you should not let users change passwords straight in the website nor even expose it. You should expire sessions more often or maybe randomly regenerate session ids.

Published by Stan Kuhn in: PHP tutorial