Working with persistent data: the basics of session management - PHP

The first step involved in the use of PHP sessions is naturally indicating to the PHP interpreter that some kind of persistent data must be stored in the course of a session, in such a way that this data will maintain its value across different HTTP requests. How is this done? Basically, when a session is created, these are the key operations performed by the PHP session management mechanism:

• A cryptographic session identifier is created (known as the session ID), which is saved in the client in a cookie (this is the default behavior), or propagated by the URL as part of the query string (also known as URL propagation).
  
  
• Session data is stored on the server in text files (the default directory for storing session data is /tmp), but this behavior can be easily changed to save session data in shared memory or even database tables.
  
  
• The corresponding session ID is associated with saved session data, in this way providing a method for tying a particular user to this data.

Right, these are at least the basic operations performed internally by the PHP session module, when a new session is started. As you saw, they’re very comprehensive.

Before I show you some illustrative hands-on examples, let me explain how session IDs are propagated across different HTTP requests. First off, the PHP session module uses cookies as the default way to propagate session IDs between different pages. Additionally, IDs can be propagated by GET/POST requests, by appending to each URL the name of the session together with the corresponding session ID. The following example shows how to pass a session ID between pages:

<?php
session_start();
?>
<a href="sesionscript.php?<?php echo 'PHPSESSID='.session_id()?
>">Click here</a>

In addition, PHP offers the global constant SID, which can be used to propagate session IDs within the URL, as follows:

<?php
session_start();
?>
<a href="sesionscript.php?<?php echo SID?>">Click here</a>

Finally, it’s possible to propagate session IDs by using the powerful “URL rewrite” feature, which automatically parses relative URLs and includes the session ID as part of the querystring. To enable this handy feature, PHP must be configured with the “—enable-trans-id—option and then recompiled.

Having explained the different methods for propagating session IDs, here’s a simple script that creates (or resumes) a session, and registers some data in the superglobal $_SESSION array:

session_start();
// register session variables
$_SESSION['firstname']='Alejandro';
$_SESSION['lastname']='Gervasio';
// display session variables
echo 'My first name is '.$_SESSION['firstname'].' and my last
name is '.$_SESSION['lastname'];

As you can see, the above script is very simple. It first creates a new session or resumes an existing one by the “session_start()” function, and then stores my first and last names respectively as session data. As I explained before, if there is not a previous session, PHP will first generate a pseudo random session ID, then create a session file on the server using that ID, and save the serialized data in this file. In addition, the corresponding session ID will be stored in the client by using a cookie.

Of course, this sequence is the default behavior of the session module. However, as you’ll see later on, this process can be entirely changed, in order to utilize either shared memory or database tables for storing session data.

Now, I’ll continue exploring the PHP session module, by using some other interesting functions. Have a look at the following example, which uses the “session_id()” function:

session_start();
echo 'Old session ID :'.session_id();
// generate a new session ID
session_id(md5(rand(1,5000)));
echo 'New session ID: '.session_id();

In this case, after running the above script, these are the values outputted to the browser:

Old session ID :e0c9904e70f283343f5aba1bad09aa69
New session ID: b0169350cd35566c47ba83c6ec1d6f82

As shown above, the “session_id()” function comes in very handy either for retrieving the ID of the current session, or for generating a new session identifier. To increase the overall security of a session, generating a new ID sometimes can be quite useful, in order to avoid possible session ID interceptions from malicious users. In case you need to regenerate the ID of a current session, PHP also provides the “session_regenerate_id()” function, which can be used as follows:

session_start();
$oldid=session_id();
session_regenerate_id();
$newid=session_id();
echo 'Old session ID is '.$oldid;
echo 'New session ID is '.$newid;

And the corresponding output for this script would be similar to this:

Old session ID is 8245009bcf9e24a738804323e779a3b7
New session ID is 680ee3c504bdecaf270539b254dd97df

In this example, as its name suggests, the “session_regenerate_id()” function is used to generate a new ID for the current session, but the good thing is that session data is always maintained. This function is extremely useful for avoiding some issues related to session ID fixation, and should be utilized in order to increase the security of session handling scripts.

Now that you’ve learned how to use some helpful PHP session functions, handy for manipulating session IDs, it’s time to leap forward and continue exploring other functions included within the session management module. Please keep on reading to learn more.