PHP is a practical PHP topic that becomes clear when you connect the definition to a small working example.
Use this page to understand what happens, why it happens, how to verify it, and what mistake usually breaks the concept.
After reading, practice PHP with a normal case, a boundary case, and a broken case so the idea becomes usable instead of memorized.
PHP Sessions session_start $_SESSION should be studied as a practical PHP lesson, not as a label. Start by naming the input, the rule that changes the input, and the result a learner should be able to predict after reading the page.
In the php > sessions page, the notes should connect the definition with a working scenario, a mistake that beginners actually make, and the exact check that proves the fix. That makes the topic useful for coding, debugging, and interview revision.
PHP sessions provide a way to store information (in variables) to be used across multiple pages. Unlike cookies, which are stored on the client's browser, session data is stored on the server. This makes sessions more secure for storing sensitive information like user authentication status, shopping cart contents, or user preferences.
When a session is started, PHP creates a unique session ID (a long random string) and sends it to the browser as a cookie named PHPSESSID. On subsequent requests, the browser sends this session ID back to the server, allowing PHP to retrieve the stored session data for that specific user.
To use sessions, you must call session_start() at the very beginning of your PHP script, before any HTML output. This function either starts a new session or resumes an existing one based on the session ID passed via cookie.
<?php
// MUST be the first line before any HTML or output
session_start();
// Now you can use $_SESSION superglobal
echo "Session started successfully!";
echo "Session ID: " . session_id();
?>
Session variables are stored in the $_SESSION superglobal array. You can store any type of data: strings, numbers, arrays, or even objects.
<?php
session_start();
// Set session variables
$_SESSION['user_id'] = 42;
$_SESSION['username'] = 'alice';
$_SESSION['email'] = 'alice@example.com';
$_SESSION['role'] = 'admin';
$_SESSION['login_time'] = time();
// Store arrays
$_SESSION['cart'] = [
'item1' => 'Laptop',
'item2' => 'Mouse',
'item3' => 'Keyboard'
];
// Store objects
$_SESSION['user_obj'] = (object)[
'id' => 42,
'name' => 'Alice',
'premium' => true
];
echo "Session variables set successfully!";
?>
<?php
session_start();
// Read session variables
echo "User ID: " . $_SESSION['user_id'] . "<br>";
echo "Username: " . $_SESSION['username'] . "<br>";
echo "Email: " . $_SESSION['email'] . "<br>";
// Check if session variable exists
if (isset($_SESSION['user_id'])) {
echo "User is logged in!<br>";
} else {
echo "User is not logged in!<br>";
}
// Access array elements
echo "Cart Item 1: " . $_SESSION['cart']['item1'] . "<br>";
// Access object properties
echo "User Name: " . $_SESSION['user_obj']->name . "<br>";
echo "Premium: " . ($_SESSION['user_obj']->premium ? 'Yes' : 'No');
// Use null coalescing operator for safety
$username = $_SESSION['username'] ?? 'Guest';
echo "Welcome, $username!";
?>
You can modify session variables by simply reassigning them, and remove specific variables using unset().
<?php
session_start();
// Modify existing session variable
$_SESSION['username'] = 'bob'; // Changed from 'alice' to 'bob'
// Increment a counter
if (!isset($_SESSION['page_views'])) {
$_SESSION['page_views'] = 0;
}
$_SESSION['page_views']++;
echo "Page views: " . $_SESSION['page_views'] . "<br>";
// Remove a single session variable
unset($_SESSION['email']);
// Remove multiple variables
unset($_SESSION['cart'], $_SESSION['user_obj']);
// Check if variable was removed
if (!isset($_SESSION['email'])) {
echo "Email session variable removed!";
}
?>
To completely log out a user and destroy all session data, you need to: 1) unset all session variables, 2) destroy the session on the server, and 3) optionally delete the session cookie from the browser.
<?php
session_start();
// Step 1: Unset all session variables
$_SESSION = [];
// Alternative: session_unset();
// Step 2: Delete the session cookie from browser
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(
session_name(),
'',
time() - 42000,
$params["path"],
$params["domain"],
$params["secure"],
$params["httponly"]
);
}
// Step 3: Destroy the session on the server
session_destroy();
echo "You have been logged out successfully!";
// Redirect to login page
header("Location: login.php");
exit;
?>
Here's a complete example of a login system using sessions, including login, authentication check, and logout functionality.
<?php
session_start();
// Redirect if already logged in
if (isset($_SESSION['user_id'])) {
header("Location: dashboard.php");
exit;
}
$error = '';
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$username = trim($_POST['username'] ?? '');
$password = $_POST['password'] ?? '';
// In production: query database and use password_verify()
// Example: SELECT * FROM users WHERE username = ?
// Then: password_verify($password, $row['password_hash'])
// Demo credentials (DO NOT use in production!)
if ($username === 'admin' && $password === 'secret123') {
// Regenerate session ID to prevent session fixation attacks
session_regenerate_id(true);
// Set session variables
$_SESSION['user_id'] = 1;
$_SESSION['username'] = $username;
$_SESSION['role'] = 'admin';
$_SESSION['login_time'] = time();
$_SESSION['ip_address'] = $_SERVER['REMOTE_ADDR'];
// Redirect to dashboard
header("Location: dashboard.php");
exit;
} else {
$error = "Invalid username or password!";
}
}
?>
<!DOCTYPE html>
<html>
<head>
<title>Login</title>
</head>
<body>
<h2>Login</h2>
<?php if ($error): ?>
<p style="color: red;"><?= htmlspecialchars($error) ?></p>
<?php endif; ?>
<form method="POST">
<label>Username: <input type="text" name="username" required></label><br>
<label>Password: <input type="password" name="password" required></label><br>
<button type="submit">Login</button>
</form>
</body>
</html>
<?php
session_start();
// Check if user is logged in
if (!isset($_SESSION['user_id'])) {
header("Location: login.php");
exit;
}
// Session timeout (30 minutes = 1800 seconds)
$timeout = 1800;
if (isset($_SESSION['login_time']) &&
(time() - $_SESSION['login_time']) > $timeout) {
session_destroy();
header("Location: login.php?msg=timeout");
exit;
}
// Update last activity time
$_SESSION['login_time'] = time();
// Get session data
$username = htmlspecialchars($_SESSION['username']);
$role = htmlspecialchars($_SESSION['role']);
$login_duration = time() - $_SESSION['login_time'];
?>
<!DOCTYPE html>
<html>
<head>
<title>Dashboard</title>
</head>
<body>
<h2>Welcome, <?= $username ?>!</h2>
<p>Role: <?= $role ?></p>
<p>Session ID: <?= session_id() ?></p>
<p>Logged in from: <?= $_SESSION['ip_address'] ?></p>
<a href="logout.php">Logout</a>
</body>
</html>
<?php
// auth_check.php - Include this at the top of protected pages
session_start();
function requireLogin() {
if (!isset($_SESSION['user_id'])) {
header("Location: login.php");
exit;
}
}
function requireRole($required_role) {
requireLogin();
if ($_SESSION['role'] !== $required_role) {
die("Access denied! You need $required_role role.");
}
}
function checkSessionTimeout($timeout = 1800) {
if (isset($_SESSION['login_time']) &&
(time() - $_SESSION['login_time']) > $timeout) {
session_destroy();
header("Location: login.php?msg=timeout");
exit;
}
$_SESSION['login_time'] = time();
}
// Usage in protected pages:
// require_once 'auth_check.php';
// requireLogin();
// checkSessionTimeout();
?>
| Practice | Implementation | Why |
|---|---|---|
| Regenerate Session ID | session_regenerate_id(true) after login | Prevents session fixation attacks |
| Use HTTPS | Set session.cookie_secure = 1 in php.ini | Prevents session hijacking over HTTP |
| HttpOnly Cookies | session.cookie_httponly = 1 | Prevents XSS attacks from stealing session ID |
| Session Timeout | Check time() - $_SESSION['login_time'] | Limits exposure if session is compromised |
| Validate IP Address | Store and check $_SERVER['REMOTE_ADDR'] | Detects session hijacking attempts |
| Use Strong Session IDs | session.entropy_length = 32 | Makes session IDs harder to guess |
; Session configuration for security
session.cookie_httponly = 1 ; Prevent JavaScript access to session cookie
session.cookie_secure = 1 ; Only send cookie over HTTPS
session.use_strict_mode = 1 ; Reject uninitialized session IDs
session.use_only_cookies = 1 ; Don't accept session IDs from URLs
session.cookie_samesite = "Strict" ; CSRF protection
; Session lifetime
session.gc_maxlifetime = 1800 ; 30 minutes
session.cookie_lifetime = 0 ; Cookie expires when browser closes
; Session storage
session.save_path = "/var/lib/php/sessions" ; Where to store session files
session.name = "PHPSESSID" ; Session cookie name
| Function | Description | Example |
|---|---|---|
| session_start() | Start or resume a session | session_start(); |
| session_destroy() | Destroy all session data | session_destroy(); |
| session_unset() | Unset all session variables | session_unset(); |
| session_id() | Get or set session ID | $id = session_id(); |
| session_regenerate_id() | Generate new session ID | session_regenerate_id(true); |
| session_name() | Get or set session name | $name = session_name(); |
| session_status() | Check session status | if (session_status() === PHP_SESSION_ACTIVE) |
| session_save_path() | Get or set session save path | $path = session_save_path(); |
PHP should be learned as a practical PHP skill, not only as a definition. Start by asking what problem the topic solves, what input or state it receives, what rule it applies, and what visible result proves it worked.
A strong explanation of PHP includes the normal case, a boundary case, and a failure case. When you practice, write down the before-state, the operation, the after-state, and the reason the result changed.
This lesson was expanded because the audit reported: under 650 content words; limited checklist/practice/mistake/FAQ notes . The added notes below focus on clearer explanation, more examples, and concrete practice so the topic is easier to understand from the page itself.
Imagine you are adding PHP to a small learning project. The first step is to choose the smallest scenario that still shows the main idea. Avoid starting with a large production design; it hides the concept behind too many details.
Next, isolate the moving parts. Name the input, the rule, the output, and the possible error. This habit makes the topic easier to debug because you can see whether the problem is caused by bad data, wrong configuration, incorrect syntax, timing, permissions, or misunderstanding of the rule.
Finally, compare two versions: one correct version and one intentionally broken version. The broken version is valuable because it teaches you how the topic fails in real work, which is usually what interviews and debugging tasks test.
<?php
$topic = 'PHP';
$cases = ['normal', 'missing', 'invalid'];
foreach ($cases as $case) {
echo $topic . ': test ' . $case . PHP_EOL;
}
<?php
function explainPhp(?string $value): string
{
if ($value === null || trim($value) === '') {
return 'Provide a clear value before using PHP.';
}
return 'Ready: ' . htmlspecialchars($value, ENT_QUOTES, 'UTF-8');
}
echo explainPhp('demo');
Memorizing PHP as a definition only.
Pair the definition with a small working example and a failure example.
Copying syntax without checking the state before and after.
Write the input state, apply the rule, then inspect the output state.
Ignoring the error path for PHP.
Create one intentionally broken version and document the symptom and fix.
Memorizing PHP Sessions session_start $_SESSION without the situation where it is useful.
Connect PHP Sessions session_start $_SESSION to a concrete PHP task.
Understand the problem it solves, the input or state it works on, and the visible result that proves the concept is working.
Use one tiny correct example, one boundary example, and one broken example. Compare the output or state after each change.
They often memorize the term without tracing the behavior. Tracing makes the rule easier to remember and debug.
Remember the problem it solves in PHP, then attach the syntax or steps to that problem.
Explore 500+ free tutorials across 20+ languages and frameworks.