only for RuBoard - do not distribute or recompile Previous Section Next Section

11.5 Managing Sessions

The Web was designed for browsing documents, where each request from a web browser to a web server is independent of every other interaction. To develop applications for the Web, additional logic is required so that different requests can be related. For example, this logic is required to allow users to log in, use the gift registry application, and log out when they're finished. In PHP, the logic is provided by the sessions library.

Sessions allow variables to be stored on the server so the variables can be restored each time a user requests a script. Consider a short example:

<?php
  session_start(  );
          
  if (session_is_registered("count"))
  {       
     echo "Hello! You've visited {$count} times";  
     $count++;
  }       
  else    
  {
     echo "Welcome new user!";
     session_register("count");
     $count = 1;
  }
?>

When the user requests the script for the first time, a new session is created. Then, a variable $count is registered and stored on the web server with its associated value of 1. When the script is requested again, the variable is automatically restored by the PHP engine and the count incremented. For example, on the fifth request of the script the output is:

Hello! You've visited 5 times

With its default configuration, the sessions library relies on cookies. Cookies are strings that are passed back and forth between the web server and browser and are used in sessions to maintain a unique key. This key is used on the server to locate the variables associated with the session. If cookies are disabled or unsupported by the browser, then sessions won't work; this problem can be solved by storing the session key in the URL, but we don't discuss that here.

All sessions have a timeout. This means that if a user doesn't access the server for a predetermined period, the session is destroyed. Session timeouts are necessary because there is no guarantee in a web environment that a user will log out. By default, the timeout is set to 1,440 seconds, or 24 minutes. This can be adjusted—along with other session parameters—through the php.ini configuration file that is normally stored in the directory /usr/local/lib on Unix servers.

You can also allow a user to destroy a session by adding a logout feature to an application. In our gift registry, the user can click on a Logout embedded link, which runs the following script stored in the file logout.php:

<?php
  // Log out of the system
  
  session_start(  );
  session_destroy(  );
  
  // Redirect to the confirmation page.
  header("Location: logout.html");
?>

A session must be started before it can be destroyed. The script doesn't produce HTML output but instead makes use of a popular web trick. The following code fragment sends an HTTP header back to the web browser using the PHP library header( ) function:

// Redirect to the confirmation page.
header("Location: logout.html");

The Location: header instructs the web browser to immediately request another resource; in this case, the logout.html page. Therefore, when the user clicks on the link to log out, the logout.php script destroys the session, and the logout.html page is displayed. We use this redirection so that if the user reloads or refreshes the logout.html page, no unnecessary session activity occurs. The page thanks the user for using the application.

The header( ) function causes a very common error in which the PHP engine complains that it cannot add header information because the headers have already been sent.

The error occurs because the web server sends headers as soon as any HTML is output. If you leave a blank line or even a single space before the PHP start tag, the headers are sent, because these are treated as HTML (albeit not very interesting HTML).


In the gift registry application, the session variable $user is registered when a guest logs in, and its value is set to his people_id. This variable is then used throughout the application both as the source of the guest's identity and to indicate that the guest is logged in. The function logincheck( ) is called at the beginning of the presents.php and action.php scripts to check if the user is logged in:

function logincheck(  )
{
   session_start(  );
  
   if (!session_is_registered("user"))
      // redirect to the login page
      header("Location: index.php");
}

If the user hasn't logged on or the session has timed-out, then the header( ) function redirects the browser to the login page, which we discuss later in Section 11.7.

only for RuBoard - do not distribute or recompile Previous Section Next Section