COOKIES AND SESSIONS
The HTTP protocol is stateless, that is, it does not maintain state. We create a form by which we ask the user whether they prefer light or dark colors. The fact is that if the user enters a preference and navigates to another page in the application we lose that information, but also if we make a new request to the same page the information is lost. Imagine an authentication system in which the user enters username and password, without a state-preserving mechanism, we would be prompted for username and password at each new page.
MAINTAIN THE STATUS
To maintain the state we either store the information on the client with cookies or on the server with the session mechanism. When we talk about data retention we need to understand whether this should be for a single page or should be stored for days, even if the user visits other websites.
THE SUPERGLOBAL ARRAY $_SESSION
If we want to keep server-side data in communication with a client we use sessions. The first thing to do is to start a session with the function session_start(). If we do a var_dump($_SESSION) initially the array is empty, but when we set a color and submit we will have the following Array.
What we have done is storage in the array $_SESSION of the color preference set by the user and occurring after the form submit.
The result we want to achieve is that that information is also present in page2.php. If we echo on $_SESSION[‘preferenceColors’] in page2.php we will see that the information has been maintained, that is, with sessions we were able to maintain the information between multiple HTTP requests. But where is the information maintained? Let’s do a echo session_save_path() to find out, on my Windows 10 system with XAMPP installed I will have:
SESSION PATH
As you see from the above image the information was saved in C:\xampp\tmp also when starting a session a session ID is generated which is a unique identifier. We open the path in the visual studio code terminal, remembering THE session ID.
The information was stored in the file sess_oek2qkbag1ao4kkc2i9e2kmsof We open this file by clicking on the link C:\xampp\tmp.
We were able to find where PHP saves its sessions. The information is stored on a folder on the Server, when the client makes a new request the server will go and read the information within this file. One question remains to be answered. How does the server know in which session file to retrieve the information? Let’s say that each client has its own session, and to answer the question we need to analyze the Cookies which we will see in a future post.
SESSION STATUS
We can know the status of a session through the function session_status() to value 1 corresponds inactive session, to value 2 active session. Instead of using numeric values, we can use constants PHP_SESSION_NONE e PHP_SESSION_ACTIVE.
The state of a session becomes active when the session_start() function is invoked, a unique identifier for the session is also created. Let us now create another PHP page page3.php we start the session with session_start() and we echo the session_id() value . The session ID created is the same as the one in the page SESSION_STATUS.php from where the following was first invoked session_start().
SESSION ID
This means that only on the first invocation of session_start() a new session ID is created, if the function is invoked again the active session and its ID are retrieved. Thanks to this mechanism of generating a session ID that does not change between requests, server-side we are able to maintain state. That is, we are able to maintain information with a client within a browsing session.
CHANGE SESSION PATH
We now create a sessions folder inside the Array Superglobals folder. If we want we can change the path where the sessions are stored, this is certainly not a good choice for security, but if we want we can do it. The following code illustrates how.
FURTHER INFORMATION
The super global $_SESSION array in PHP is a data structure for storing user-specific information as the user navigates a Web site.
This array is used to manage sessions, which are particularly useful for maintaining a state between different pages visited by the same user, such as the login or shopping cart in an e-commerce.
Main features of $_SESSION:
1. Persistence between requests: Unlike other variables, the data stored in $_SESSION persists across multiple HTTP requests.
This means that you can save information about a user when they visit one page and then retrieve it when they visit another page.
2. Server storage: Session data is stored on the server, and not in the user’s browser.
Only the session identifier (a small cookie with a unique ID) is sent to the client.
3. Global access: The $_SESSION array is super global, so it is accessible from anywhere in PHP code, without the need to pass the variable between functions or files.
4. Security: Being stored on the server, session data is generally more secure than data stored in cookies, since it cannot be changed directly by the user.
Example of the use of $_SESSION:
// Start the session
session_start();
// Stores a value in the session
$_SESSION[‘username‘] =‘Mario Rossi‘;
// Retrieve a value from the session
echo ‘Hello, ‘ . $_SESSION[‘username‘]; // Output: Hello, Mario Rossi
// Removes a value from the session
unset($_SESSION[‘username’]);
// Destroys the session
session_destroy();
Steps to use $_SESSION:
Starting the session: Before you can use $_SESSION, you must start a session with session_start().
This function must be called at the beginning of every PHP script that accesses session data.
Data storage 2: To store a value, simply assign it to the $_SESSION array with a specific key.
3. Data retrieval: To access the stored data, simply retrieve the value associated with the desired key in the $_SESSION array .
4. Data removal: You can remove a single value using unset() or destroy the entire session with session_destroy().
Security considerations:
It is important to protect sessions from attacks such as session hijacking or session fixation.
Some suggestions include:
– Use HTTPS sessions to protect session cookies.
– Regenerate the session ID after a login with session_regenerate_id().
– Set session directives such as session.cookie_secure and session.cookie_httponly correctly.
In conclusion, $_SESSION is a powerful and versatile tool for managing the state of a web application, ensuring a consistent and secure user experience.
Leave A Comment