Session Handling

Introduction
Installing/Configuring
Predefined Constants
Examples
Session Upload Progress
Sessions and security
Session Functions
- session_abort — Discard session array changes and finish session
- session_cache_expire — Return current cache expire
- session_cache_limiter — Get and/or set the current cache limiter
- session_commit — Alias of session_write_close
- session_decode — Decodes session data from a session encoded string
- session_destroy — Destroys all data registered to a session
- session_encode — Encodes the current session data as a session encoded string
- session_get_cookie_params — Get the session cookie parameters
- session_id — Get and/or set the current session id
- session_is_registered — Find out whether a global variable is registered in a session
- session_module_name — Get and/or set the current session module
- session_name — Get and/or set the current session name
- session_regenerate_id — Update the current session id with a newly generated one
- session_register_shutdown — Session shutdown function
- session_register — Register one or more global variables with the current session
- session_reset — Re-initialize session array with original values
- session_save_path — Get and/or set the current session save path
- session_set_cookie_params — Set the session cookie parameters
- session_set_save_handler — Sets user-level session storage functions
- session_start — Start new or resume existing session
- session_status — Returns the current session status
- session_unregister — Unregister a global variable from the current session
- session_unset — Free all session variables
- session_write_close — Write session data and end session
SessionHandler — The SessionHandler class
- SessionHandler::close — Close the session
- SessionHandler::create_sid — Return a new session ID
- SessionHandler::destroy — Destroy a session
- SessionHandler::gc — Cleanup old sessions
- SessionHandler::open — Initialize session
- SessionHandler::read — Read session data
- SessionHandler::write — Write session data
SessionHandlerInterface — The SessionHandlerInterface class
- SessionHandlerInterface::close — Close the session
- SessionHandlerInterface::destroy — Destroy a session
- SessionHandlerInterface::gc — Cleanup old sessions
- SessionHandlerInterface::open — Initialize session
- SessionHandlerInterface::read — Read session data
- SessionHandlerInterface::write — Write session data

User Contributed Notes

7 years ago


There is a nuance we found with session timing out although the user is still active in the session.  The problem has to do with never modifying the session variable.



The GC will clear the session data files based on their last modification time.  Thus if you never modify the session, you simply read from it, then the GC will eventually clean up.



To prevent this you need to ensure that your session is modified within the GC delete time.  You can accomplish this like below.



<?php

if( !isset($_SESSION['last_access']) || (time() - $_SESSION['last_access']) > 60 )

  $_SESSION['last_access'] = time();

?>



This will update the session every 60s to ensure that the modification date is altered.

bouvrette dot nicolas at gmail dot com

1 year ago


Be careful if you are updating to PHP 5.6 since the the Sessions's Write behavior changed.  It now only writes the session if you changed the data. So this means that if you rely on your session to update an activity time stamp on the server (to control session expiry) you will end up having issues. Here is a quick fix if you are implementing SessionHandlerInterface:

    public function close() {
        $this->write($this->id, serialize($_SESSION));
        return true;
    }

Make sure you also use this:

        ini_set('session.serialize_handler', 'php_serialize'); // Force standard PHP functions handler for flexibility

More details here:

Request #17860 (Session write short circuit)
https://bugs.php.net/bug.php?id=17860

roberto at spadim dot com dot br

5 years ago


instead of memcache, you should consider using redis
http://redis.io/commands

it have KEYS command (http://redis.io/commands/keys) that can return all keys (like 'ls'/'dir' at php sessions directory)

it allow replication too (cluster use)

i don't know if anyone wrote a version of phpsessions using redis yet, but since memcache don't have KEYS command, it's hard to know if the users is connected (at app side) or what sessions still active (not expired/not logged)

Madster

7 years ago


When you include a php file in your current script it's included, not processed separately, thus it's still within the same page and the current page hasn't finished processing.
Thus, session is not set yet. This is the expected behaviour.

If you need to load a page after setting session data, you should set session data and then send a redirection or refresh header (remember not to send anything, not even whitespace before sending headers).

Always consider session data to be updated after the next page load (as in http request completed).

elephant at punx dot pl

5 years ago


Please note, that database is NOT recommended for session storage. It can be a big performance bottleneck, especially in replicated environments.

For saving sessions, file handler seems to be very effective for most setups, except those situations:
 - if performance is an issue, the directory which stores session files can be mounted as tmpfs (ram disk).
 - if sharing sessions across multiple webservers is needed (in clustered environments), use memcache for storing session information (tip: you can setup more than one instance of memcache eliminate single point of failure). This method, however, sets a limitation of session size to 64k (this should be enough for most applications)
 - don't use NFS for sharing session files between webservers, it does not handle locking correctly and can cause corruption of session data.

Some Guy

7 years ago


Just some notes - it seems that php does the session writing after the script exits.
For example, if you set a bunch of session variables and then run session_regenerate_id() - the session variables are never written to the old session. The new session id is generated when you ask it to be generated, but the session exists only in memory until after the script exits - when the session is written and any and all session variables are written to it.

This caused me some confusion, as I'm running sessions in an sql database rather than flat file, trying to do any manipulation of the session database directly in a script where you have run session_regenerate_id() will fail for the new session ID because the insert hasn't been done yet, and setting any session variables will only be written to the new session, even if set before you regenerate the session ID.

Also - if using a database for sessions, make sure to use mysql_real_escape_string() before saving any session variables.