Tutorials Logic, IN info@tutorialslogic.com
FAQs Support
Navigation
Home About Us Contact Us Blogs FAQs
Tutorials
HTML CSS JavaScript TypeScript Python Angular React Java Golang Node.js PHP MongoDB AWS Azure Google Cloud
All Tutorials
Services
Academic Projects Resume Writing Website Development
Practice
Quiz Challenge Interview Questions Certification Practice
Tools
Online Compiler JSON Formatter Regex Tester CSS Unit Converter Color Picker
Compiler Tools

PHP Sessions session_start, $_SESSION: Tutorial, Examples, FAQs & Interview Tips

What are PHP Sessions?

PHP sessions provide a way to store information (in variables) to be used across multiple pages. Unlike cookies, which are stored on the client's browser, session data is stored on the server. This makes sessions more secure for storing sensitive information like user authentication status, shopping cart contents, or user preferences.

When a session is started, PHP creates a unique session ID (a long random string) and sends it to the browser as a cookie named PHPSESSID. On subsequent requests, the browser sends this session ID back to the server, allowing PHP to retrieve the stored session data for that specific user.

How Sessions Work

  1. User visits the website - PHP generates a unique session ID
  2. Session ID is sent to browser - Stored as a cookie (PHPSESSID)
  3. Session data stored on server - In files, database, or memory
  4. Browser sends session ID with each request - PHP retrieves session data
  5. Session ends - When browser closes or session_destroy() is called

Starting a Session

To use sessions, you must call session_start() at the very beginning of your PHP script, before any HTML output. This function either starts a new session or resumes an existing one based on the session ID passed via cookie.

Starting a Session 
<?php

// MUST be the first line before any HTML or output

session_start();



// Now you can use $_SESSION superglobal

echo "Session started successfully!";

echo "Session ID: " . session_id();

?>

Setting and Getting Session Variables

Session variables are stored in the $_SESSION superglobal array. You can store any type of data: strings, numbers, arrays, or even objects.

Session Variables 
<?php

session_start();



// Set session variables

$_SESSION['user_id']  = 42;

$_SESSION['username'] = 'alice';

$_SESSION['email']    = 'alice@example.com';

$_SESSION['role']     = 'admin';

$_SESSION['login_time'] = time();



// Store arrays

$_SESSION['cart'] = [

    'item1' => 'Laptop',

    'item2' => 'Mouse',

    'item3' => 'Keyboard'

];



// Store objects

$_SESSION['user_obj'] = (object)[

    'id' => 42,

    'name' => 'Alice',

    'premium' => true

];



echo "Session variables set successfully!";

?>
<?php

session_start();



// Read session variables

echo "User ID: " . $_SESSION['user_id'] . "<br>";

echo "Username: " . $_SESSION['username'] . "<br>";

echo "Email: " . $_SESSION['email'] . "<br>";



// Check if session variable exists

if (isset($_SESSION['user_id'])) {

    echo "User is logged in!<br>";

} else {

    echo "User is not logged in!<br>";

}



// Access array elements

echo "Cart Item 1: " . $_SESSION['cart']['item1'] . "<br>";



// Access object properties

echo "User Name: " . $_SESSION['user_obj']->name . "<br>";

echo "Premium: " . ($_SESSION['user_obj']->premium ? 'Yes' : 'No');



// Use null coalescing operator for safety

$username = $_SESSION['username'] ?? 'Guest';

echo "Welcome, $username!";

?>

Modifying and Removing Session Variables

You can modify session variables by simply reassigning them, and remove specific variables using unset().

Modify and Remove 
<?php

session_start();



// Modify existing session variable

$_SESSION['username'] = 'bob';  // Changed from 'alice' to 'bob'



// Increment a counter

if (!isset($_SESSION['page_views'])) {

    $_SESSION['page_views'] = 0;

}

$_SESSION['page_views']++;



echo "Page views: " . $_SESSION['page_views'] . "<br>";



// Remove a single session variable

unset($_SESSION['email']);



// Remove multiple variables

unset($_SESSION['cart'], $_SESSION['user_obj']);



// Check if variable was removed

if (!isset($_SESSION['email'])) {

    echo "Email session variable removed!";

}

?>

Destroying Sessions (Logout)

To completely log out a user and destroy all session data, you need to: 1) unset all session variables, 2) destroy the session on the server, and 3) optionally delete the session cookie from the browser.

Complete Session Destruction 
<?php

session_start();



// Step 1: Unset all session variables

$_SESSION = [];



// Alternative: session_unset();



// Step 2: Delete the session cookie from browser

if (ini_get("session.use_cookies")) {

    $params = session_get_cookie_params();

    setcookie(

        session_name(),

        '',

        time() - 42000,

        $params["path"],

        $params["domain"],

        $params["secure"],

        $params["httponly"]

    );

}



// Step 3: Destroy the session on the server

session_destroy();



echo "You have been logged out successfully!";



// Redirect to login page

header("Location: login.php");

exit;

?>

Practical Login System Example

Here's a complete example of a login system using sessions, including login, authentication check, and logout functionality.

Complete Login System 
<?php

session_start();



// Redirect if already logged in

if (isset($_SESSION['user_id'])) {

    header("Location: dashboard.php");

    exit;

}



$error = '';



if ($_SERVER['REQUEST_METHOD'] === 'POST') {

    $username = trim($_POST['username'] ?? '');

    $password = $_POST['password'] ?? '';

    

    // In production: query database and use password_verify()

    // Example: SELECT * FROM users WHERE username = ?

    // Then: password_verify($password, $row['password_hash'])

    

    // Demo credentials (DO NOT use in production!)

    if ($username === 'admin' && $password === 'secret123') {

        // Regenerate session ID to prevent session fixation attacks

        session_regenerate_id(true);

        

        // Set session variables

        $_SESSION['user_id']    = 1;

        $_SESSION['username']   = $username;

        $_SESSION['role']       = 'admin';

        $_SESSION['login_time'] = time();

        $_SESSION['ip_address'] = $_SERVER['REMOTE_ADDR'];

        

        // Redirect to dashboard

        header("Location: dashboard.php");

        exit;

    } else {

        $error = "Invalid username or password!";

    }

}

?>

<!DOCTYPE html>

<html>

<head>

    <title>Login</title>

</head>

<body>

    <h2>Login</h2>

    <?php if ($error): ?>

        <p style="color: red;"><?= htmlspecialchars($error) ?></p>

    <?php endif; ?>

    

    <form method="POST">

        <label>Username: <input type="text" name="username" required></label><br>

        <label>Password: <input type="password" name="password" required></label><br>

        <button type="submit">Login</button>

    </form>

</body>

</html>
<?php

session_start();



// Check if user is logged in

if (!isset($_SESSION['user_id'])) {

    header("Location: login.php");

    exit;

}



// Session timeout (30 minutes = 1800 seconds)

$timeout = 1800;

if (isset($_SESSION['login_time']) && 

    (time() - $_SESSION['login_time']) > $timeout) {

    session_destroy();

    header("Location: login.php?msg=timeout");

    exit;

}



// Update last activity time

$_SESSION['login_time'] = time();



// Get session data

$username = htmlspecialchars($_SESSION['username']);

$role = htmlspecialchars($_SESSION['role']);

$login_duration = time() - $_SESSION['login_time'];

?>

<!DOCTYPE html>

<html>

<head>

    <title>Dashboard</title>

</head>

<body>

    <h2>Welcome, <?= $username ?>!</h2>

    <p>Role: <?= $role ?></p>

    <p>Session ID: <?= session_id() ?></p>

    <p>Logged in from: <?= $_SESSION['ip_address'] ?></p>

    

    <a href="logout.php">Logout</a>

</body>

</html>
<?php

// auth_check.php - Include this at the top of protected pages

session_start();



function requireLogin() {

    if (!isset($_SESSION['user_id'])) {

        header("Location: login.php");

        exit;

    }

}



function requireRole($required_role) {

    requireLogin();

    if ($_SESSION['role'] !== $required_role) {

        die("Access denied! You need $required_role role.");

    }

}



function checkSessionTimeout($timeout = 1800) {

    if (isset($_SESSION['login_time']) && 

        (time() - $_SESSION['login_time']) > $timeout) {

        session_destroy();

        header("Location: login.php?msg=timeout");

        exit;

    }

    $_SESSION['login_time'] = time();

}



// Usage in protected pages:

// require_once 'auth_check.php';

// requireLogin();

// checkSessionTimeout();

?>

Session Security Best Practices

PracticeImplementationWhy
Regenerate Session IDsession_regenerate_id(true) after loginPrevents session fixation attacks
Use HTTPSSet session.cookie_secure = 1 in php.iniPrevents session hijacking over HTTP
HttpOnly Cookiessession.cookie_httponly = 1Prevents XSS attacks from stealing session ID
Session TimeoutCheck time() - $_SESSION['login_time']Limits exposure if session is compromised
Validate IP AddressStore and check $_SERVER['REMOTE_ADDR']Detects session hijacking attempts
Use Strong Session IDssession.entropy_length = 32Makes session IDs harder to guess

Session Configuration (php.ini)

Recommended php.ini Settings 
; Session configuration for security

session.cookie_httponly = 1       ; Prevent JavaScript access to session cookie

session.cookie_secure = 1         ; Only send cookie over HTTPS

session.use_strict_mode = 1       ; Reject uninitialized session IDs

session.use_only_cookies = 1      ; Don't accept session IDs from URLs

session.cookie_samesite = "Strict" ; CSRF protection



; Session lifetime

session.gc_maxlifetime = 1800     ; 30 minutes

session.cookie_lifetime = 0       ; Cookie expires when browser closes



; Session storage

session.save_path = "/var/lib/php/sessions"  ; Where to store session files

session.name = "PHPSESSID"        ; Session cookie name

Common Session Functions

FunctionDescriptionExample
session_start()Start or resume a sessionsession_start();
session_destroy()Destroy all session datasession_destroy();
session_unset()Unset all session variablessession_unset();
session_id()Get or set session ID$id = session_id();
session_regenerate_id()Generate new session IDsession_regenerate_id(true);
session_name()Get or set session name$name = session_name();
session_status()Check session statusif (session_status() === PHP_SESSION_ACTIVE)
session_save_path()Get or set session save path$path = session_save_path();
Key Takeaways
  • Sessions store data on the server (more secure than cookies), identified by a session ID sent to the browser.
  • Always call session_start() at the beginning of your script before any output.
  • Use session_regenerate_id(true) after login to prevent session fixation attacks.
  • Implement session timeouts to automatically log out inactive users.
  • Never store sensitive data like passwords in sessions - only store user IDs and non-sensitive info.
  • Always destroy sessions properly on logout using session_destroy() and delete the session cookie.
Previous Next

Level Up Your Php Skills

Master Php with these hand-picked resources

Interview Questions
Ace your next interview
50+ questions with detailed answers
Prepare Now
Online Compiler
Practice coding instantly
Write, run & test code in browser
Try It Now
All Php Tutorials
Complete learning path
From basics to advanced concepts
View All
10,000+ learners
Free forever
Updated 2026

Ready to Level Up Your Skills?

Explore 500+ free tutorials across 20+ languages and frameworks.

Browse Tutorials Contact Us