How Does PHP Session Work
The Hyper Text Transfer Protocol is a stateless protocol. That means server just forget about you when your request is served and the connection between server and client is immediately closed after that. For example, when you made a request for page a.html, the server send you the a.html. After that, you made second request for b.html. In that time, the server won't recognize that you are the one who previously request a.html. With the limitation of HTTP, the web application introduce the method called session. By using session, the web application will automatically know who you are. For example, after you log in to the application, you can access the user profile page or the other page and the web application recognizes you.
Session can be implemented in any web programming language, including PHP, and the concept is almost the same for all of them. To know how the session works, let's learn the following scenario which I made using PHP and tested on Mozilla Firefox.
1. Open Your Web Console
We need to see something that happens on the background while we are opening a web page. We need to open the developer/web console for that. In Firefox, you can click the menu on the right hand side. Click Developer then click Browser Console.
2. Session Initialization
By default, PHP uses cookie to manage the session. Let's write a PHP file to initialize the session then set its value.
// Start the session
session_start(); // Usually we check if the session value is set or not.
// If not, we redirect the user to login page.
// When user is authenticated, set the session for him/her the redirect to the main page.
// But to keep this example as simple as possible, we just hardcoded it herr.
$_SESSION['user'] = "User1";
echo "Session is started.";
3. Set The Cookie For Client
Access the file through the web browser then see the browser console. Expand the request detail of the URL in that console and see the Response headers section. You should see someting like Set-Cookie PHPSESSID=20b1di7nmft33rj6kt6056ukh7, which is generated automatically at the first time call of session_start function. That line tells your web browser to store the cookie with name PHPSESSID and the value is the random string. That random string, which must be different in yours, is the most critical part. It will be used as your ID and it will be sent as cookie everytime you made a request to server.
Now, let's take a look at the cookie in your web browser. Open a new tab then type about:preferences in the address bar. Click the Privacy menu, then click the remove individual cookies link. There might be a lot of cookies there, but you can fillter them by typing localhost on the Search texfield. You can find the PHPSESSID cookie the click it to see its value. Indeed, it will contain the random string that I mention previously.
4. Explore The Session File On Server
5. Read The Session In Another Page
Let's create another PHP file where we will read the session which we set in the previous file.
echo "Welcome " . $_SESSION['user'];
Access that file through the web browser and you will see that the page output the session content that we set in the previous page. After that, please take a look at the browser console. Expand the request detail of the URL in that console and see the Request headers section.
You will see the Cookie PHPSESSID=20b1di7nmft33rj6kt6056ukh7 in that header. Everytime we made a request, that cookie will be sent to the server. And that random string will be used by the web application to check the existance and the content of session file, in this case sess_20b1di7nmft33rj6kt6056ukh7. By using this method the web application is able to know who you are.
You might wonder what is the $_SESSION['user'] = "User1"; for? By default, when we set the value of session, it will be stored in a file. In Linux, usually the file will be stored in /tmp folder. In Windows it is located in C:\WINDOWS\Temp. The file name itself is using the following pattern: sess_[random string]. In this case, the file name is sess_20b1di7nmft33rj6kt6056ukh7. Now, when we open that file, we will see the content like the following.
That content is generated when we set the session value using $_SESSION['user'] = "User1"; .
Remember what I said previously about the random string which is used as the session ID? Yes, that random string will be the part of the file name. That's how the web application still knows who you are even you have accessed different pages.