How do PHP session IDs work?

Question

I'm a little confused on what session ID's in PHP actually are, and what they are useful for. I am coding a website with user information, register, and login. In login script tutorials in PHP, many people include session_start(). They also check that the current session ID matches that stored in the database for the users (stored during login) and if they do not, they log the user out (redirect to login page by setting header).

What exactly is the function/usefulness of session ID's? And how do I incorporate them into my login script without creating a redirect loop?

Thanks for any help.

Answer 1

In brief, a session id identifies a browser.

Since http itself is stateless, every request like loading a page is independent from any previous request.

To overcome this circumstance, you use session_start() to instruct the web server to send a cookie to the browser or, when a cookie exists, tell php the current session id which was saved in the cookie previously.

A session id itself is a randomly generated unique string, only used to track if a browser is already known to the server.

If there is someone visiting a site the very first time, it works like this:

• The web server gets a request from the browser and hands it over to php
• session_start() is called and looks if there is a session id
• Since this is the first visit, there is none. A new session id is generated
• php prepares the (html) output and hands it over to the web server, including the instruction to send a cookie containinf the newly generated session id
• the browser gets the response and saves the cookie

From now on with every following request the browser sends it's session id from the cookie. In this case, phps session_start() picks it up, looks if this session id exists and if so, makes it available to your script.

PHP stores, usually in files on the server, variables "inside a session". That means, via $_SESSION['somevalue'] you can get and set values, e.g. $_SESSION['logged_in'] indicating if the user is logged in.

That whole task of sending an appropriate header to the browser for setting a cookie, reading back the header from a request, storing variables in a file that is named after the session id is wrapped into session_start() for your convenience.

Storing the session id in the database is useful if for some reason you don't want to use the PHP default, which is storing them into text files.

There are many tutorials on the web on how to build a login form with sessions and php. Maybe this tutorial is something you like.

The principle is always the same:

• Use session_start() on top of your script
• Check via some value in $_SESSION if the user is logged in (remember, PHP wraps the whole identifying for you)
• If the user is not logged in check for data from your login form in $_POST
• If there is data from your login form check if the data is correct
• If the data is correct, set some session variable indicating the user is logged in
• If there is neither a logged in session nor correct $_POST data, present the user with a login form
• Otherwise if there is a valid session (variable) or $_POST login data, proceed to show your sensitive data to the user

If it isn't clear by now, a session is only a way to remember stuff for a single browser between two different pages. (via $_SESSION)