HTTP is a stateless protocol. Which means that every request the browser makes to the server cant be identified by the server as a subsequent request of that user/IP/browser or a brand new request.
HTTP doesn't understand who is requesting. So how do sessions manage to make HTTP look intelligent? The Answer lies in the request-response model with data.
When a normal request is made, eg my website, the minimalistic data passed by the client/browser is this
GET / HTTP/1.1 Host: ruturaj.net
The server responds by giving the output. But when a developer does a session_start();, What actually happens is, the PHP engine sets a PHPSESSID cookie. This data is sent from the Server as Set-Cookie header. So the response goes somewhat like this
HTTP/1.x 200 OK Date: xxxx Set-Cookie: PHPSESSID=<32charhexvalue>; expires=xxxx ...
Now considering the browser does accept the cookies, it saves the PHPSESSID cookie. Consequently the server also creates a file in the specified directory (by default on Linux as /tmp) as /tmp/sess_32charid.
Now when another request is made by the user/browser, the Cookie header is passed through the GET request back to the server, something like this...
GET /session2.php HTTP/1.1 Host: ruturaj.net Cookie: PHPSESSID=<32charid>; othercookies=othervalues;
The session2.php, for example, is setting a value of name in session, by this
$_SESSION['name'] = $name_obtained_from_somewhere;
Now as the script finishes, the script flushes all the $_SESSION data into the /tmp/sess_32charid file associated to that session id. It saves all the data in the serialized format
Consider the browser makes another request to session3.php where $_SESSION['name'] is echoed. Now when the request is made, just like previous case, the PHPSESSID is passed in the cookie.
Now as mandated by php.net, that every page where sessions should be needed, a session_start(); is required. So as soon this function is invoked, PHP checks if the browser's request had any PHPSESSID cookie sent in the header, as it was sent in our case, PHP Engine will open /tmp/sess_32charid file (with the same session id) and unserialize the contents of the file. It then assigns the values of the unserialized data structures to the $_SESSION variable.
The simple echo $_SESSION['name']; will now be able to output the name!! Sessions working...
On a session_destroy();, PHP sends a destructive, previous timestamp cookie for PHPSESSID and unlinks or deletes the /tmp/sess_32charid file. This ensures that no reference of that session is left.
References
- http://in3.php.net/manual/en/session.configuration.php
This is really good article
This is really good article for the web developers.
Thank You
Thank you. It was helpful.. :)
Keep going...
Great expln, specially ur way of expln like:
you give snippet of code & actually explain the internal behaviour as it is very imp for a anxious programmer like me. Good work & I got session very well :)).
Thanks for great
Thanks for great explanation, what would happen if browser does not accepted cookies?
Cookie-less sessions
PHP has an option in which sessions can be enabled on cookie-less clients, in which PHP appends Session ID data to anchor tags, forms.
Sessions trans sid
how will session work if I disable my browser's cookie
HI
Its a great explanation, but still I am confused, When I want to make a web app and want to run my sessions irrespective of browser's cookies active or disabled, what exacly I need to do.
Thanks in advance
PHP Sessions
Best explanation I have seen so far. Most websites have either the wrong info or so little that it is of limited value