PHP Sessions (session_start, session_destroy, $_SESSION)

Photo by Ben Griffiths on Unsplash

PHP Sessions (session_start, session_destroy, $_SESSION)

PHP Dec 25, 2022

Almost every site that has at least some kind of interactivity (registration, order form, etc.) uses this method of storing visitor data as sessions. A session is a mechanism that allows you to uniquely identify a visitor and store the data that is associated with him.

Data in the session can be written on one page of the site, and read on another, so long as the session lifetime does not expire between calls to different pages of the site. Session data is stored on the server, so it is not possible to change it manually.

Creating a session and working with it

Let's try to initialize (start) a PHP session and write some data to it. To do this, we will use the function with the telling name session_start . And then write some data to the session:

   $_SESSION['text'] = 'Lion, tiger on the roof';

   echo '<pre>';
   echo '</pre>';

The $_SESSION variable is an array. If you are interested in what is in it, then you can always print this array using print_r. The result of executing the code from the example above will be as follows:

	[text] => Lion, tiger on the roof

Reading the values ​​of the $_SESSION array is exactly the same as reading the elements of any other array.

Sessions are a handy tool because the data is stored regardless of the loading of the site page. Let's take a simple example that demonstrates this. Let's make a script that counts how many times the page with the code has been reloaded:

   if (!isset($_SESSION['reload_counter'])) {
      $_SESSION['reload_counter'] = 1;
      $_SESSION['reload_counter'] ++;

   echo 'This page has been reloaded ' . $_SESSION['reload_counter'] . ' times';

Now let's reload the page with this script and see how the counter increases its value.

To delete data written to $_SESSION, use the same mechanisms that you use for arrays, that is:


Session duration

The duration of data storage in the session depends on the PHP settings. Usually is about 30 minutes. You can check the duration yourself by getting it from the PHP settings with the command:

   echo ini_get('session.gc_maxlifetime');

As a result of executing this code, the duration of the session lifetime in seconds will be displayed. After this time expires, the session and all data will be deleted.

You can increase the session lifetime by setting the gc_maxlifetime value in the PHP settings or by writing "php_value session.gc_maxlifetime number_of_seconds" in the .htaccess file of hosts.

Session files

In the Apache settings, when creating, the path to the directory where the site sessions will be stored is set. This directory may be similar to /tmp/php_sessions/your_domain/. If the site has a session functionality, then you can go to this directory and find files there. These files will contain the serialized data of all sessions and all values ​​that were written to the session. These files are gradually deleted as sessions expire.

Ending a session

If the session is not needed, then you need to end it. This task will usually appear if the user logs out of their account on the site. Then the session_destroy function will help :


After executing this code, the session will be closed.


Imagine an online store. All its pages can be divided into two halves: public and private.

Public pages include catalog pages, product information, delivery terms, and so on. To private - shopping cart, order history. It is quite obvious that each customer should have his own shopping cart, and only the owner himself and no one else should have access to it.

Checking user access to the site is called authentication. The entire authentication process always consists of several steps:

  1. When trying to access the closed part of the site, the user sees a login and password entry form.
  2. The form is submitted and the received data is compared with the actual username and password of the existing user.
  3. If the data matches, then the user is considered authenticated and gets access to the private part of the site.
  4. When reopening this page, the user should not re-enter the password if he has already done so within the current session.

The difference between authentication and authorization

Two terms should be distinguished: authentication and  authorization .

Authentication  - verification of the identity provided by the user (login-password pair).

Authorization  is the process of verifying and granting rights to a user to perform a specific action.

In the online store example, authentication is performed when the user fills out the login form and enters their personal account. The script that processes the form only checks that such a user exists and that his password matches.

Authorization is activated when the user performs some action. For example, he removes an item from his cart. During this action, the script should check if the item belongs to this user's cart. Without such verification, the user could remove the item from someone else's shopping cart.

The authorization logic is much more complicated than a simple check that the mail and password match when entering the site. Authorization may also include the following concepts: user groups, types of actions, resources, hierarchy of roles and actions.


Anurag Deep

Logical by Mind, Creative by Heart