PHP Lesson 20: How to set PHP Session Example – session_start(), session_destroy(),session_start()

Hello viewer, You can now have our Tutorial Lessons in your android mobile device and read it offline.
Download kotlin Programming APP on PlayStore
Download Website SEO Lessons APP on PlayStore

PHP Lesson 20: How to set PHP Session Example - session_start(), session_destroy(),session_start() - PHP Lesson 20: How to set PHP Session Example - session_start(), session_destroy(),session_start() - PHP Lesson 20: How to set PHP Session Example - session_start(), session_destroy(),session_start() - php session
php session

HTTP is a stateless protocol, meaning information is not cached between the various views of a visitor. This is, of course, impractical if we need to store certain information about a visitor, for example, which username he logged in with. To solve this, you use PHP sessions.

Technical background – PHP Session

Sessions give you the ability to capture specific data during a sequence of calls to your website. Each visitor is assigned a unique session ID, a possible session ID could look like this: dadafb244bbcb4bb84116d38f0ebd077, This session ID is re-sent to the web server by the visitor’s browser at each page view, allowing the web server to identify the visitor and load values from previous page views. The session ID is either appended to the URL as a GET parameter by the browser or stored locally in a cookie at the visitor’s site. Saving as a cookie is to be preferred for security reasons and is also preferred by PHP. Fortunately, as a web developer, you often do not have to worry about passing on the session ID, PHP actually takes all the work from there.

On the server then for each session ID locally a memory is set up, which can contain any variables for the visitor. For example, in the session, we can save for a visitor the username with which he logged in, which goods are in his shopping cart, etc.

The user has no way to see or manipulate the variables in his session. He only has the information as to which session ID was assigned to him by the web server.

Safety – PHP Session

Although sessions do not provide 100% security, they are still relatively secure. Each time the page is called, the browser informs the web server which session ID it has. Now, a malicious visitor can easily manipulate his session ID and could specify the session ID of another visitor. The thief could pretend to be someone else in a community.

How does the attacker get the PHP Session ID? 

As mentioned above, session IDs are either passed via the URL using the parameter?PHPSESSID or stored as a cookie at the visitor. If the session IDs are transmitted via URL, then it may happen that the user copies this URL and, for example, sends it via e-mail or Facebook to friends and acquaintances. If the friends then call the link, they continue to use the session ID and are logged in with another account. This is especially problematic when posting the link on a public page.

If instead cookies are used, which is the default and happens to all visitors who have not explicitly disabled cookies, the attacker must reach this cookie to steal the session. This can be done, for example, by using a Trojan on the computer or by listening to the line.

Of course, the thief can guess a session ID, but this is very unlikely. It is more likely that the lottery draws the same numbers several times in a row than guessing a session ID by chance. That’s why we should not worry about that.

In summary, sessions are pretty secure and we usually do not have to worry about stealing a session ID. Very critical operations, such as the deletion of the account or the like, but should be backed up with an additional password query again.

Getting started – Register sessions

If we want to use sessions in a script before we make any output, we have to issue the command session_start();  call:

<?php
session_start();
?>

It is advisable to have this code always at the top of the scripts. If you get the message Can not send session cookie – headers already sent by, then there was an issue somewhere before session_start (). An empty line or even a space before <?Php already suffices.

If we want to store a value/variable across multiple page views in the session, then this is done as follows:

About The Author

Related posts

Leave a Reply