#native_company# #native_desc#

Validating PHP User Sessions Page 2

By PHP Builder Staff
on April 4, 2008

Validating PHP User Sessions

How do Sessions Work?

A session works by assigning a unique identifier to a user when they come to the site. A good session identifier needs to have enough characters to make it difficult for someone to guess, or for a program to find quickly, to help avoid hacking. So, generally speaking, a session identifier should be at least 32 random alpha-numeric characters or longer, though for the sake of brevity our session identifier in this article will be XYZ.
Unfortunately, since the web has no inherent way of maintaining state, assigning a unique identifier isn??t as simple as it sounds. We need a way for this session identifier to be passed to every page that the user visits. There are 2 primary ways that session identifiers generally get passed along to subsequent pages. The first is via URL rewriting, which will append ?PHPSESSID=XYZ to the end of all of the links on a page. This has the advantage of being usable by all web users since it merely modifies the links, but has some disadvantages in that it can be easily lost using the back button, and there are also some security vulnerabilities to using URL rewriting that will be discussed later. The other primary way of storing the session identifier is by using cookies, which are stored on the user??s computer invisibly. Cookies have the advantage that they can be stored on the user??s computer either until the browser window is closed or until a specified date (for ??remember me?? functions). The negative aspect to cookies is that, while most users have cookies enabled, some choose to disable that feature.
Fortunately, for those who don??t want to hassle with figuring all of this out for a custom session management script, PHP, makes session management very easy. In order to initiate a session, all you have to do is call session_start() before outputting anything to the browser. When session_start() is called, PHP will automatically create the session if one doesn??t exist, or read the session that already exists, and it will handle the URL rewriting and/or cookie setting internally. Using PHP will reduce your flexibility for things like ??remember me?? functions, but it??s also much easier to get started on in learning how Sessions work.
Anyway, once a session is created, you can create variables in the PHP auto-global variable, $_SESSION, as simply as you would create any other variable. Those variables will then be stored in a file on the web-server (not the client??s computer), so they are safe from modification by the user. Below is an example of how easy it can be to store information in a session. On the first page load there is no session, so it will create one and set the variables for name and e-mail, then if the page is reloaded, it will output the values that were set on the first page load:


if( isset($_SESSION['name']) ) {
  echo("Hello {$_SESSION['name']} 
else {
  $_SESSION['name']   = "John Doe";
  $_SESSION['email']  = "[email protected]";
  echo("Session created, refresh page");