SESSION HANDLING

• It is made up of requests and responses, and there are no persistent connections.

• The problem with this, is there is no way of consistency or personalization on the web,
because there is no way to know who is sending the requests.

• One solution is cookies

• when a user visits a web site, the server stores information about the user in a cookie and
sends it to the browser, which saves it.

• Cookies are files residing on the CLIENT'S computer that store variables set by a particular
website.

• The problem with cookies is that they are an untrusted medium. Users can modify cookie
data, and cause unwanted problems with your app

• A better solution is sessions.

• Sessions are a lot like cookies, however they reside on the SERVER machine, and cannot
be edited directly by the client.

• When you use sessions, a session ID is stored either in a cookie on the client side, or in some
sort of storage on the server side (with an HTTP cookie holding only the session ID so the
server can identify the client).

• One important issue which confounds to the session_start() function involves exactly where
this function can be called.

Working with Sessions

• In this section we are going to see the key session-handling tasks, such as creation and
destruction of a session, setting and retrieval of the SID, storage and retrieval of session
variables.

Starting a Session:

• In order to work with session first of all we need to start the session by declaring the
session_start( ) function at the top of the page as

<?php

session_start();

?>

• Once you start the session, you can now start using session variables
• session_start() creates a new session if no SID is found, or continue a current session if an
SID exists.

• When session_start() is first called, PHP sets a cookie (yes, a cookie) in your visitor's browser,
containing a session identifier ("session ID").

• It also creates a session data file to store variables related to that particular session.

Get PHP Session Variable Values

• Notice that session variables are not passed individually to each new page, instead they are
retrieved from the session we open at the beginning of each page (session_start()).

• Also notice that all session variable values are stored in the global $_SESSION variable:

• $_SESSION[„name‟]=“Asok”; (this is the session variable)

• echo $_SESSION[„name‟]; (this is for display the session variable value)

Creating and Deleting session variables

• Session variables are used to store and carry data from one page to another.

• Session variables are set with the PHP global variable: $_SESSION.

• Setting a session variable is follows:

page1.php

<?php

session_start();

$_SESSION[„name‟]=“Asok”;

echo $_SESSION[„name‟]; // Asok

?>

page2.php

<?php

session_start();

echo $_SESSION[„name‟]; // Asok

?>
 • To delete a session variable

Although you can configure PHP‟s session-handling directives to automatically destroy a session
based on an expiration time or garbage collection probability, sometimes it‟s useful to manually
cancel out the session yourself. For example, you might want to enable the user to manually log out
of your site. When the user clicks the appropriate link, you can erase the session variables from
memory, and even completely wipe the session from storage, done through the

session_unset()

session_destroy()

functions, respectively.

The session_unset() function erases all session variables stored in the current session, effectively
resetting the session to the state in which it was found upon creation (no session variables registered).

Its prototype looks like this:

• we can use unset() function:

Eg:

<?php

session_start();

echo $_SESSION['A']="test A";

echo "</br>"; o/p

echo $_SESSION['B']="test B"; test A

echo "</br>"; test B

unset($_SESSION['A']);

echo $_SESSION['A']; test B

echo "</br>";

echo $_SESSION['B'];

exit;

?>
Destroying a Session:

• A session can be destroyed automatically by setting expiration time

Or

• We can destroy a session by using the following functions such as

• session_unset();

– This function will delete all session variables stored in the current session, but it will
not completely remove the session from the storage mechanism

• session_destroy();

– This function will completely destroy the session, by removing the session from the
storage mechanism

Encoding and Decoding session Data

• Encoding Session Data:

• session_encode() offers a convenient method for manually encoding all session variables into
a single string.

• Its prototype is session_encode();

• This function is particularly useful when you „d like to easily store a user‟s session
information within a database,

<?php session_start();

//initiate session and create a few session variables

$_SESSION[„username‟]=“Asok”;

//encode all session data into a single string and return the result

$sesval= session_encode();

echo $sesval;

?>

Decoding session Data:

• Encoded session data can be decoded with the function session_decode().

• This function will decode the variables, returning them to their original format.
 • If the decoding is successful , it returns true(1) otherwise false(0)

• continuing the previous example:

• i.e.,

session_decode($sesval);

echo $_SESSION[„username‟];

Setting and Retrieving the Session ID

Remember that the SID ties all session data to a particular user. Although PHP will both create and
Propagate the SID autonomously, there are times when you may wish to manually set or retrieve it.
The function session_id() is capable of carrying out both tasks. Its prototype looks like this:

session_id([string sid])

The function session_id() can both set and get the SID. If it is passed no parameter, the function
session_id() returns the current SID. If the optional SID parameter is included, the current SID will be
replaced with that value. An example follows:

<?php
session_start();
echo "Your session identification number is " . session_id();
?>
output
This results in output similar to the following:
Your session identification number is 967d992a949114ee9832f1c11c

Regenerating Session IDs

An attack known as session-fixation involves an attacker somehow obtaining an unsuspecting user‟s
SID and then using it to impersonate the user in order to gain access to potentially sensitive
information. You can minimize this risk by regenerating the session ID on each request while
maintaining the session-specific data. PHP offers a convenient function named
session_regenerate_id()
that will replace the existing ID with a new one. Its prototype follows:

session_regenerate_id([boolean delete_old_session])

The optional delete_old_session parameter determines whether the old session file will also be
deleted when the session ID is regenerated. By default, this behavior is disabled.