Despite the advancements of PHP in recent years that have brought it to the full-featured, object-oriented Web application development platform it has become today, it still relies, as do all other languages of its ilk, on the basics. That is, it relies on the HTTP protocol and the CGI (Common Gateway Interface, the most basic building block of any kind of interactivity on the Web) functionality that HTTP provides.
When people speak of HTTP they often describe it as stateless meaning that no "memory'' is retained from one user's request to the next; the request is made via GET or POST, data is returned, and the request is completed and, as far as the Web server is concerned, forgotten.
This characteristic isn't much use if you're trying to build complex Web applications that emulate the functionality of their equivalent desktop counterparts. You need to be able to keep track of users' previous actions, not just what they're doing right at this moment, in order to be able to produce meaningful output. Thankfully, PHP provides a way around this: sessions. This technique allows you to maintain certain stateful information from one request by the user to the next. This leads very neatly to one of the most common and useful applications of session handling that of authentication and user state persistence.
The first half of this chapter discusses PHP's built-in session-handling features. You'll see that although on the surface the functionality available to you may seem basic, it can be extended and adapted to provide enormous degrees of flexibility, including integrating with third party databases. You'll also learn the ins and outs of session security so that you can devise session architectures that keep hackers at bay.
In the second half of the chapter, you'll learn how to apply this knowledge of session management to develop an essential component of your toolkit: a reusable, database-driven authentication class that can be deployed on almost any Web site that needs users to authenticate at some stage.