How to create, read, update and destroy PHP session data

What is a PHP Session

A session is a way for you to persist (save) information between requests, PHP does this by uniquely identifying users, using what is called a session cookie.

For example: A user visits your website and is served the home page, index.php. The same user requests the very same home page again a few minutes later (or a different page on your PHP website)

How can PHP save variables between pages: for the same page request, or between different page requests?
How can PHP identify a specific user? (We need to uniquely identify each user if we want to save data between requests)

We can use sessions to solve these problems

Session variables: these are the variables we would like to save between requests, it's up to you to decide what variables to save to the session, depending on your requirements.

Creating a PHP Session

Now that we have a basic understanding of sessions, we can go through example session code. We will keep our example as simple as possible to get a better understanding of session management.

Our example will use a single PHP page that is visited repeatedly by the same user. We can apply the same concepts to multiple pages and different users. Below is our initial code, it displays the number of times a user visited our page.

Welcome to PHP session fundamentals: count does not update without session.

For now, our code does not work as we expect: requesting/refreshing the page does not update the variable $pageVisitCount.

Let's update our code to begin using sessions, start the session by calling the session_start function. The session start function, starts a new session or resumes an existing session. It will return TRUE if the session was successfully started.

We call session_start on our first line of code, we store the return value of session_start in the variable sessionStarted. We can then check if the session did actually start and run the appropriate code, in our case: to display the text 'Session started'.

We can control the session timeout or cookie lifetime by passing the cookie_lifetime option to the session_start function.

For the above example, our session will be valid for 30 days from the last time our session was started or resumed, not from the time the session was first started.

Viewing the PHP Session ID

After successfully starting a session, the user who requested the page is assigned a unique session id. We can view the session id by calling the function session_id. Let's display the session id for our own educational purposes, you won't display session id's in a production environment for security reasons (the user can however view their own session id in a cookie saved to the user's browser)

Welcome to PHP session fundamentals: session id and session cookies stored in a browser window.

Updating PHP Session Variables

Now that our session is started we can save variables to the session. In PHP, you access and set session variables using the global $_SESSION. If we wanted to save a variable $person to the session, we could give it a key person. Our code would then be: $_SESSION['person'] = $person; The key can be named anything you want, but meaningful names are good practice.

We've updated our code to save the variable $pageVisitCount to the session with the key pageVisitCount, the assignment is $_SESSION['pageVisitCount'] = $pageVisitCount.

We retrieve the value from the session with the code $pageVisitCount = $_SESSION['pageVisitCount'] and use a default of 0 if the value was not previously saved to the session.

Welcome to PHP session fundamentals: session variables.

Destroying the Session

Our code now uses the session to save and retieve variables for use on our web page. The last addition for our example would be to use session_destroy to end the session and clear the variables which were saved to the session.

We call session_destroy(); when the $pageVisitCount reaches a value of 10. In a real world example, you would typically call session_destroy(); when a user signs out of a restricted access system.

Key Takeaways

Start or resume a session using session_start, and check the return value to confirm whether the session did actually begin.
To increase or decrease the session validity period, use the option cookie_lifetime when starting the session.
session_id can be used to view the unique session id, which can also be viewed by users in their browser.
Use session_destroy to end a session.
The session example we looked at, went from start to finish of session management using a single page. As an exercise, you could write an in-depth code example using multiple PHP pages.

PHP Session