PHP Tutorial Previous Home

Module 04: Sessions

Learning Objectives

Understand why sessions are needed (HTTP is stateless)
Use session_start() and $_SESSION
Build protected pages that require login
Implement secure logout
Understand session security best practices

Demo Files

counter.php Simple visit counter using sessions

The Problem: HTTP is Stateless

Each HTTP request is independent. The server has no memory of previous requests:

Request 1: POST /login (username=alice, password=***) Response: "Login successful!" Request 2: GET /dashboard Response: "Who are you? Please log in." <-- Server forgot!

The Solution: Sessions

Request 1: POST /login Response: "Login successful!" Set-Cookie: PHPSESSID=abc123 [Server stores: abc123 → {user: alice}] Request 2: GET /dashboard Cookie: PHPSESSID=abc123 Response: [Server looks up abc123] "Welcome, Alice!"

Basic Session Usage

<?php
// Start session - MUST be before any output!
session_start();

// Store data
$_SESSION['user_id'] = 123;
$_SESSION['username'] = 'alice';

// Read data (on subsequent requests)
echo "Hello, " . $_SESSION['username'];

// Check if key exists
if (isset($_SESSION['user_id'])) {
    echo "User is logged in";
}

// Remove specific key
unset($_SESSION['temp_data']);

// Destroy entire session (logout)
session_destroy();
?>

Critical: session_start() Must Be First!

session_start() sends a cookie header, so it must be called before ANY output:

// WRONG - whitespace before PHP
 <?php
session_start();  // ERROR!

// WRONG - output before session_start
<?php
echo "Hello";
session_start();  // ERROR!

// RIGHT
<?php
session_start();
echo "Hello";

Login Flow

login-form.php - Show login form
login-process.php - Validate credentials, create session
dashboard.php - Check session, show protected content
logout.php - Destroy session, clear cookie

Security Best Practices

<?php
// 1. Regenerate ID on login (prevents session fixation)
session_start();
if ($loginSuccessful) {
    session_regenerate_id(true);
    $_SESSION['user_id'] = $userId;
}

// 2. Set secure cookie parameters
session_set_cookie_params([
    'lifetime' => 0,       // Session cookie
    'path' => '/',
    'secure' => true,      // HTTPS only
    'httponly' => true,    // No JavaScript access
    'samesite' => 'Lax'    // CSRF protection
]);
session_start();

// 3. Proper logout
session_start();
$_SESSION = [];                    // Clear data
session_destroy();                  // Destroy storage
setcookie(session_name(), '', time() - 3600);  // Clear cookie
?>

Related Resources

State Management Overview - Compare sessions with other state mechanisms
Session State Demo - Interactive session demonstration

← Previous: Headers & Metadata | Tutorial Home | State Management →