Tutorials Logic, IN info@tutorialslogic.com

PHP Sessions session_start, $_SESSION

PHP Sessions session_start, $_SESSION

PHP is a practical PHP topic that becomes clear when you connect the definition to a small working example.

Use this page to understand what happens, why it happens, how to verify it, and what mistake usually breaks the concept.

After reading, practice PHP with a normal case, a boundary case, and a broken case so the idea becomes usable instead of memorized.

PHP Sessions session_start $_SESSION should be studied as a practical PHP lesson, not as a label. Start by naming the input, the rule that changes the input, and the result a learner should be able to predict after reading the page.

In the php > sessions page, the notes should connect the definition with a working scenario, a mistake that beginners actually make, and the exact check that proves the fix. That makes the topic useful for coding, debugging, and interview revision.

What are PHP Sessions?

PHP sessions provide a way to store information (in variables) to be used across multiple pages. Unlike cookies, which are stored on the client's browser, session data is stored on the server. This makes sessions more secure for storing sensitive information like user authentication status, shopping cart contents, or user preferences.

When a session is started, PHP creates a unique session ID (a long random string) and sends it to the browser as a cookie named PHPSESSID. On subsequent requests, the browser sends this session ID back to the server, allowing PHP to retrieve the stored session data for that specific user.

How Sessions Work

  • User visits the website - PHP generates a unique session ID
  • Session ID is sent to browser - Stored as a cookie (PHPSESSID)
  • Session data stored on server - In files, database, or memory
  • Browser sends session ID with each request - PHP retrieves session data
  • Session ends - When browser closes or session_destroy() is called

Starting a Session

To use sessions, you must call session_start() at the very beginning of your PHP script, before any HTML output. This function either starts a new session or resumes an existing one based on the session ID passed via cookie.

Starting a Session

Starting a Session
<?php

// MUST be the first line before any HTML or output

session_start();



// Now you can use $_SESSION superglobal

echo "Session started successfully!";

echo "Session ID: " . session_id();

?>

Setting and Getting Session Variables

Session variables are stored in the $_SESSION superglobal array. You can store any type of data: strings, numbers, arrays, or even objects.

Session Variables

Session Variables
<?php

session_start();



// Set session variables

$_SESSION['user_id']  = 42;

$_SESSION['username'] = 'alice';

$_SESSION['email']    = 'alice@example.com';

$_SESSION['role']     = 'admin';

$_SESSION['login_time'] = time();



// Store arrays

$_SESSION['cart'] = [

    'item1' => 'Laptop',

    'item2' => 'Mouse',

    'item3' => 'Keyboard'

];



// Store objects

$_SESSION['user_obj'] = (object)[

    'id' => 42,

    'name' => 'Alice',

    'premium' => true

];



echo "Session variables set successfully!";

?>

Setting and Getting Session Variables

Setting and Getting Session Variables
<?php

session_start();



// Read session variables

echo "User ID: " . $_SESSION['user_id'] . "<br>";

echo "Username: " . $_SESSION['username'] . "<br>";

echo "Email: " . $_SESSION['email'] . "<br>";



// Check if session variable exists

if (isset($_SESSION['user_id'])) {

    echo "User is logged in!<br>";

} else {

    echo "User is not logged in!<br>";

}



// Access array elements

echo "Cart Item 1: " . $_SESSION['cart']['item1'] . "<br>";



// Access object properties

echo "User Name: " . $_SESSION['user_obj']->name . "<br>";

echo "Premium: " . ($_SESSION['user_obj']->premium ? 'Yes' : 'No');



// Use null coalescing operator for safety

$username = $_SESSION['username'] ?? 'Guest';

echo "Welcome, $username!";

?>

Modifying and Removing Session Variables

You can modify session variables by simply reassigning them, and remove specific variables using unset().

Modify and Remove

Modify and Remove
<?php

session_start();



// Modify existing session variable

$_SESSION['username'] = 'bob';  // Changed from 'alice' to 'bob'



// Increment a counter

if (!isset($_SESSION['page_views'])) {

    $_SESSION['page_views'] = 0;

}

$_SESSION['page_views']++;



echo "Page views: " . $_SESSION['page_views'] . "<br>";



// Remove a single session variable

unset($_SESSION['email']);



// Remove multiple variables

unset($_SESSION['cart'], $_SESSION['user_obj']);



// Check if variable was removed

if (!isset($_SESSION['email'])) {

    echo "Email session variable removed!";

}

?>

Destroying Sessions (Logout)

To completely log out a user and destroy all session data, you need to: 1) unset all session variables, 2) destroy the session on the server, and 3) optionally delete the session cookie from the browser.

Complete Session Destruction

Complete Session Destruction
<?php

session_start();



// Step 1: Unset all session variables

$_SESSION = [];



// Alternative: session_unset();



// Step 2: Delete the session cookie from browser

if (ini_get("session.use_cookies")) {

    $params = session_get_cookie_params();

    setcookie(

        session_name(),

        '',

        time() - 42000,

        $params["path"],

        $params["domain"],

        $params["secure"],

        $params["httponly"]

    );

}



// Step 3: Destroy the session on the server

session_destroy();



echo "You have been logged out successfully!";



// Redirect to login page

header("Location: login.php");

exit;

?>

Practical Login System Example

Here's a complete example of a login system using sessions, including login, authentication check, and logout functionality.

Complete Login System

Complete Login System
<?php

session_start();



// Redirect if already logged in

if (isset($_SESSION['user_id'])) {

    header("Location: dashboard.php");

    exit;

}



$error = '';



if ($_SERVER['REQUEST_METHOD'] === 'POST') {

    $username = trim($_POST['username'] ?? '');

    $password = $_POST['password'] ?? '';



    // In production: query database and use password_verify()

    // Example: SELECT * FROM users WHERE username = ?

    // Then: password_verify($password, $row['password_hash'])



    // Demo credentials (DO NOT use in production!)

    if ($username === 'admin' && $password === 'secret123') {

        // Regenerate session ID to prevent session fixation attacks

        session_regenerate_id(true);



        // Set session variables

        $_SESSION['user_id']    = 1;

        $_SESSION['username']   = $username;

        $_SESSION['role']       = 'admin';

        $_SESSION['login_time'] = time();

        $_SESSION['ip_address'] = $_SERVER['REMOTE_ADDR'];



        // Redirect to dashboard

        header("Location: dashboard.php");

        exit;

    } else {

        $error = "Invalid username or password!";

    }

}

?>

<!DOCTYPE html>

<html>

<head>

    <title>Login</title>

</head>

<body>

    <h2>Login</h2>

    <?php if ($error): ?>

        <p style="color: red;"><?= htmlspecialchars($error) ?></p>

    <?php endif; ?>



    <form method="POST">

        <label>Username: <input type="text" name="username" required></label><br>

        <label>Password: <input type="password" name="password" required></label><br>

        <button type="submit">Login</button>

    </form>

</body>

</html>

Practical Login System Example

Practical Login System Example
<?php

session_start();



// Check if user is logged in

if (!isset($_SESSION['user_id'])) {

    header("Location: login.php");

    exit;

}



// Session timeout (30 minutes = 1800 seconds)

$timeout = 1800;

if (isset($_SESSION['login_time']) &&

    (time() - $_SESSION['login_time']) > $timeout) {

    session_destroy();

    header("Location: login.php?msg=timeout");

    exit;

}



// Update last activity time

$_SESSION['login_time'] = time();



// Get session data

$username = htmlspecialchars($_SESSION['username']);

$role = htmlspecialchars($_SESSION['role']);

$login_duration = time() - $_SESSION['login_time'];

?>

<!DOCTYPE html>

<html>

<head>

    <title>Dashboard</title>

</head>

<body>

    <h2>Welcome, <?= $username ?>!</h2>

    <p>Role: <?= $role ?></p>

    <p>Session ID: <?= session_id() ?></p>

    <p>Logged in from: <?= $_SESSION['ip_address'] ?></p>



    <a href="logout.php">Logout</a>

</body>

</html>

Practical Login System Example

Practical Login System Example
<?php

// auth_check.php - Include this at the top of protected pages

session_start();



function requireLogin() {

    if (!isset($_SESSION['user_id'])) {

        header("Location: login.php");

        exit;

    }

}



function requireRole($required_role) {

    requireLogin();

    if ($_SESSION['role'] !== $required_role) {

        die("Access denied! You need $required_role role.");

    }

}



function checkSessionTimeout($timeout = 1800) {

    if (isset($_SESSION['login_time']) &&

        (time() - $_SESSION['login_time']) > $timeout) {

        session_destroy();

        header("Location: login.php?msg=timeout");

        exit;

    }

    $_SESSION['login_time'] = time();

}



// Usage in protected pages:

// require_once 'auth_check.php';

// requireLogin();

// checkSessionTimeout();

?>

Session Security Best Practices

Practice Implementation Why
Regenerate Session ID session_regenerate_id(true) after login Prevents session fixation attacks
Use HTTPS Set session.cookie_secure = 1 in php.ini Prevents session hijacking over HTTP
HttpOnly Cookies session.cookie_httponly = 1 Prevents XSS attacks from stealing session ID
Session Timeout Check time() - $_SESSION['login_time'] Limits exposure if session is compromised
Validate IP Address Store and check $_SERVER['REMOTE_ADDR'] Detects session hijacking attempts
Use Strong Session IDs session.entropy_length = 32 Makes session IDs harder to guess

Session Configuration (php.ini)

Recommended php.ini Settings

Recommended php.ini Settings
; Session configuration for security

session.cookie_httponly = 1       ; Prevent JavaScript access to session cookie

session.cookie_secure = 1         ; Only send cookie over HTTPS

session.use_strict_mode = 1       ; Reject uninitialized session IDs

session.use_only_cookies = 1      ; Don't accept session IDs from URLs

session.cookie_samesite = "Strict" ; CSRF protection



; Session lifetime

session.gc_maxlifetime = 1800     ; 30 minutes

session.cookie_lifetime = 0       ; Cookie expires when browser closes



; Session storage

session.save_path = "/var/lib/php/sessions"  ; Where to store session files

session.name = "PHPSESSID"        ; Session cookie name

Common Session Functions

Function Description Example
session_start() Start or resume a session session_start();
session_destroy() Destroy all session data session_destroy();
session_unset() Unset all session variables session_unset();
session_id() Get or set session ID $id = session_id();
session_regenerate_id() Generate new session ID session_regenerate_id(true);
session_name() Get or set session name $name = session_name();
session_status() Check session status if (session_status() === PHP_SESSION_ACTIVE)
session_save_path() Get or set session save path $path = session_save_path();

Deep Study Notes for PHP

PHP should be learned as a practical PHP skill, not only as a definition. Start by asking what problem the topic solves, what input or state it receives, what rule it applies, and what visible result proves it worked.

A strong explanation of PHP includes the normal case, a boundary case, and a failure case. When you practice, write down the before-state, the operation, the after-state, and the reason the result changed.

This lesson was expanded because the audit reported: under 650 content words; limited checklist/practice/mistake/FAQ notes . The added notes below focus on clearer explanation, more examples, and concrete practice so the topic is easier to understand from the page itself.

  • Define the exact problem solved by PHP before looking at syntax.
  • Trace one small example by hand and describe every step in plain language.
  • Identify what changes when the input is empty, repeated, invalid, delayed, or larger than expected.
  • Connect the topic to a realistic project scenario instead of treating it as isolated theory.
  • Verify your answer with output, logs, query results, browser behavior, compiler feedback, or a state table.

Worked Explanation: Using PHP Correctly

Imagine you are adding PHP to a small learning project. The first step is to choose the smallest scenario that still shows the main idea. Avoid starting with a large production design; it hides the concept behind too many details.

Next, isolate the moving parts. Name the input, the rule, the output, and the possible error. This habit makes the topic easier to debug because you can see whether the problem is caused by bad data, wrong configuration, incorrect syntax, timing, permissions, or misunderstanding of the rule.

Finally, compare two versions: one correct version and one intentionally broken version. The broken version is valuable because it teaches you how the topic fails in real work, which is usually what interviews and debugging tasks test.

  • Normal case: show the expected behavior with simple, valid input.
  • Boundary case: test the smallest, largest, empty, repeated, or unusual value that still belongs to the topic.
  • Failure case: introduce one realistic mistake and explain the symptom it creates.
  • Repair step: change one thing at a time so you know exactly what fixed the problem.

PHP PHP example

PHP PHP example
<?php
$topic = 'PHP';
$cases = ['normal', 'missing', 'invalid'];
foreach ($cases as $case) {
    echo $topic . ': test ' . $case . PHP_EOL;
}

PHP safer PHP handling

PHP safer PHP handling
<?php
function explainPhp(?string $value): string
{
    if ($value === null || trim($value) === '') {
        return 'Provide a clear value before using PHP.';
    }
    return 'Ready: ' . htmlspecialchars($value, ENT_QUOTES, 'UTF-8');
}

echo explainPhp('demo');
Key Takeaways
  • State the purpose of PHP in one sentence before using it.
  • Create a tiny PHP example that demonstrates the topic without unrelated code.
  • Test one normal input, one edge input, and one incorrect input for PHP.
  • Explain the result using before-state, operation, and after-state.
  • Add a verification step such as output, logs, query results, browser behavior, or compiler feedback.
Common Mistakes to Avoid
WRONG Memorizing PHP as a definition only.
RIGHT Pair the definition with a small working example and a failure example.
The fastest way to remember the topic is to explain why the output changes.
WRONG Copying syntax without checking the state before and after.
RIGHT Write the input state, apply the rule, then inspect the output state.
State tracing turns confusing behavior into a visible sequence.
WRONG Ignoring the error path for PHP.
RIGHT Create one intentionally broken version and document the symptom and fix.
A page is much easier to learn from when it explains both success and failure.
WRONG Memorizing PHP Sessions session_start $_SESSION without the situation where it is useful.
RIGHT Connect PHP Sessions session_start $_SESSION to a concrete PHP task.
Purpose makes syntax easier to recall.

Practice Tasks

  • Build the smallest working demo for PHP and write what each line does.
  • Change one input or setting and predict the result before running it.
  • Break the example in a realistic way, then fix it and describe the repair.
  • Create a two-column note comparing when to use PHP and when another approach is better.
  • Explain PHP aloud as if teaching a beginner who knows basic PHP only.

Frequently Asked Questions

Understand the problem it solves, the input or state it works on, and the visible result that proves the concept is working.

Use one tiny correct example, one boundary example, and one broken example. Compare the output or state after each change.

They often memorize the term without tracing the behavior. Tracing makes the rule easier to remember and debug.

Remember the problem it solves in PHP, then attach the syntax or steps to that problem.

Ready to Level Up Your Skills?

Explore 500+ free tutorials across 20+ languages and frameworks.