Session Handling in PHP

Traditionally HTTP is a stateless protocol. That is it is made up of requests and responses and there is no notion of a ‘persistent connection’. This means that there is no way to have consistency or personalisation on the web since there is no way of knowing whom the request came from.

There are 2 primary methods – regardless of platform – that are used as a work-around for this.

First is a cookie. A cookie is a text file that lives on the client’s computer that store values set by your application. In general the file can only be access by the website/domain that issued it. The main problem with cookies is that they are un-trusted. A malicious user could modify the data and cause you problems!

The second – and better – solution is sessions. Similar to cookies, but they reside on the server, and cannot be directly modified by the client. When sessions are used, a cookie is still issued, but this simply holds the ‘session id’. This session id is generally sent by any request after it is created by the app including actions such as form submission. This ‘session id’ is a link to either a file or record on the server – depending how they are stored.

Continue reading “Session Handling in PHP”