13.3. SessionsHTML and web servers by default don't keep track of information that was entered on a page when the client's browser loads another page. This makes doing anything that involves using the same information from a user on several pages difficult. Sessions help solve this problem by maintaining data during a user's visit to your web site from page to page on your site. Each session can store many variables that are maintained throughout that session. The server keeps track of users' sessions by assigning them a unique session ID, generated by the server, when the session starts. This identifier is called the session identifier and must be sent to the server each time a page is requested once a session begins. Figure 13-7 illustrates the interaction between the client browser and web server for a session. Figure 13-7. A typical session stores some information on both the client and server hard disksSessions are stored on the server. The session variables are stored in a file and are serialized. When a variable is serialized, it's written out to a file as its name, type, and value all in a sequential string. On a Unix-based server, this file is usually written out to a directory under the /tmp (temporary) filesystem.
The browser sends the session ID to the server each time it requests a page. The browser can send the session ID to the server either through a cookie or as a URL parameter. The default is to use the cookie, but because it's possible for a user to turn off cookies in his browser preferences, we also discuss passing the session ID in the URL string. 13.3.1. Using SessionsTo start a session, place the session_start function at the beginning of your PHP script before you can store or access any data during in the session. The session_start function, used in Example 13-10, needs to execute before any other header calls or other output is sent to the browser; otherwise, your session may not work properly. Example 13-10. Simply starting a session
First, we'll discuss the way variables used to be assigned to a session, since you may see this in code you get off the Web. The old school way is to use the session_register function, shown in Example 13-11. Don't use this method in your code, as it will cause an error. Example 13-11. Registering a variable with session_register
Once the variable is bound like this in a PHP script, any changes to the variable are stored in the session. If the session isn't already started, the session_register command automatically starts it. Modern PHP interpreters return a warning with this code: Warning: Unknown(): Your script possibly relies on a session side-effect which existed until PHP 4.2.3. Please be advised that the session extension does not consider global variables as a source of data, unless register_globals is enabled. You can disable this functionality and this warning by setting session.bug_compat_42 or session.bug_compat_warn to off, respectively. in Unknown on line 0 The correct way is to store and access session variables by the $_SESSION global variable with the name of the variable supplied within brackets. Assigning a new variable to the $_SESSION global automatically adds it to the session. The session must be started before you can access the session variables.
For instance, Example 13-12 registers the same variable. Example 13-12. Registering a variable by including it in $_SESSION
Now if the user was to follow a link to another page on your site that starts a session, the $_SESSION global variable contains a key called hello with the string value of Hello World, as shown in Example 13-13. Example 13-13. Referencing a variable set on a prior page in the session
Therefore, the code in Example 13-13 displays this information, as shown in Figure 13-8. Figure 13-8. The value set previously in the session is accessibleEither Examples 13-11 or 13-12 can be used to register the session variable before it's requested in Example 13-13. 13.3.2. Expanding Our Login ExampleMost login systems use session variables to pass useful information around without having to re-retrieve them from the database. In Example 13-14, we're checking to see whether a user is valid, and then setting a few session variables. Example 13-14. Checking to see whether a user is valid
Example 13-14 displays Figure 13-9, followed by Figure 13-10, if you were successful. Figure 13-9. The login prompt before entering our credentialsFigure 13-10. A successful loginThe code first checks the session to see if the user_id session variable already has a value assigned to it. Subsequent pages can check for the session variables that were set at the end of Example 13-14 instead of doing another HTTP realm-based authentication and verifying that against the database. If the session has the key user_id, you know the variable was set and you can continue without any further checking. However, email addresses and URLs are difficult to validate with 100% accuracy. Obviously, you'd mandate that an email address have an @ that is followed by some combination of letters, numbers, and the period. Lastly, there is a period followed by a two- to four-letter stringfor example, .nl, ca, com, edu, uk, or info. If you mandate certain parameters, you'll be more successful during validation. When you're trying to validate a URL, you should check for the optional http://. After this, you want to see letters, numbers, or a dash, followed by a period, and then a two- to four-letter string as just described for email addresses. 13.3.3. Ending a SessionThere are times when you want to end a session before the session times out. An example of this is when you provide a logout button or link on your page. The logout is actually done by ending the user's session. To end a session, use the session_destroy function. Of course, you must first start a session for it to make sense to destroy it. Keep in mind that ending a session doesn't make the values from that session unavailable to the rest of the currently executing PHP page. Example 13-15 provides a simple script that both ends the session and makes the session values unavailable to the rest of the PHP script. Example 13-15. Destroying a session
The code in Example 13-15 produces something like Figure 13-11. Figure 13-11. Destroying a session and clearing out the valuesWhen you destroy the session, the session data is deleted from the server's session files. To wipe out the values in the $_SESSION global variable, set it to an empty array. Although you're using $_SESSION to destroy the values from the session, if you used session_register to add variables to a session, you need to use one of two functions to remove the values from the running script. The function session_unset removes all session variables while session_unregister removes only the variable name that's sent as a parameter. We're going to address garbage collection and no, this isn't about when your garbage is collected at the curb, this is when a session is destroyed or times out. 13.3.3.1. Garbage collectionGarbage collection determines what happens to the contents of a session on the server after a session is destroyed or simply times out from inactivity. If the server didn't do periodic clean up of old sessions, they'd accumulate, endlessly wasting space, and creating clutter on the server. Garbage collection happens automatically and deletes all old session data. PHP has a load-balancing feature for garbage collection, so that old session files aren't deleted for every session request. The default timeout for session files is 1440 seconds or 24 minutes. That probably doesn't seem like a lot of time if you have a very robust site, but PHP has commands that can delete garbage following parameters you set. A session file can be deleted after that timeout, but it could reside on the server longer, depending on the amount of sessions created. The following PHP .ini variables deal with the garbage collector:
In the above variables, gc equals garbage collector. If you have enough disk space on your server, you can set the session file timeout pretty long in order to preserve most or even all sessions until the browsers are closed. However, in many cases, the session needs to expire after a certain time, so you have to change the lifetime of the session cookie itself. We'll discuss setting the session's timeout values so you get a better understanding of what you're going to need to do. 13.3.3.2. Setting a session's timeoutAfter a certain time period, it's reasonable to expect that a user's session should automatically log out, which is essentially an expiration period. PHP allows you to specifically set this duration. The best way to do this is to modify the .htaccess file. The .htaccess file affects the HTML and PHP files in the same directory as the file. It allows you to make configuration changes without modifying Apache's configuration files. Any changes made in the .htaccess file also apply to files in subdirectories unless another .htaccess file is in a subdirectory. In Example 13-16, we're using the session.gc_maxlifetime variable. Example 13-16. Session timeout
The value that comes after sessions.gc_maxlifetime is in 100ths of a second, so, if you want a session timeout of 30 minutes, you would use a value of 18000.
|