Passing Variables – The PHP $_SESSION array

The problem of storing user information while the user is accessing the web site is solved with sessions in PHP. Essentially, when the user logs into a web site and enters some information, the server assigns the user a 32 character, random, session ID which uniquely identifies the user. It stores this ID on the users computer as a cookie, along with time-out expiration information. Any additional sensitive user information, like the quantity, and item number in the shopping cart, or a credit card number is stored on the server, along with that particular user's session ID.

I don't have enough space in this post to go through all the details on how sessions are configured. The "php.ini" file currently contains 24 different session variables that can be set concerning sessions security, session expiration, where sessions will be stored on the server, what to do if the user disabled his cookies, and whether a session should be started automatically when a user arrives on a site. I will cover these in more detail in my next post. Usually the default configuration when you first install PHP is adequate. For now, let's concentrate on using session to store variables between web pages.

To start a session you call session_start() at the top of the web page file, before anything else. Since your storing the session ID in a cookie, session_start has to be called before any new line in the web page file, please see my cookies post for an explanation. When session_start() is called PHP checks to see if a session has already been started, and if it hasn't, it will assign that user a session ID and store it in a cookie. It also sets up a unique global session array on the server, identified by, you guessed it, the session ID.

PHP keeps session variables in a $_SESSION[] array. This array is available globally, which means it doesn't matter which page of the web server application you go to, the information will be available, which is what we want.

To store information in a session that you can use in your application, or specific user information, you do the following:

$_SESSION['firstname'] = $fname ;
$_SESSION['lastname'] = $lname ;
$_SESSION['usercity'] = $city ;
$_SESSION['address'] = $addr ; 

That's it. You now have firstname, lastname, usercity, and address available to you on any web page in your application. Notice that the information is stored in an associative $_SESSION array. To retrieve this information on another page, we do the reverse, at the top of the file, like so:

$fname = $_SESSION['firstname'] ;
$lname = $_SESSION['lastname'] ;
$city = $_SESSION['usercity'] ;
$address = $_SESSION['address'] ;

We have to start the session again on the page where you want to retrieve the session information. This will retrieve the session ID from the cookie on the user's computer, and using that session ID, connect to the $_SESSION array for that particular user.

If cookies are disabled the session ID will be retrieved from information in the web URL. If sensitive user information is being stored, certainly an https encrypted connection should be used to prevent user information from being compromised.

Session variables are common in web applications, and are used frequently, especially internally, within a web application to pass variables from one page to another.


Passing Variables – The PHP $_SESSION array — 2 Comments

  1. Very useful – many thanks.

    I have a mental block about how, for example, ‘usercity’ is a variable for MySQL sessions – but has the syntax of a string as far as PHP is concerned. That’s crazy! 🙂

    • Hi Richard,
      You bring several things to mind. You can always cast your session variables to make sure their what you want. Talking about MySQL and PHP mismatch, you may want to take a look at my article on “Converting Dates from MySQL to PHP.” Also if your interested in passing variables. I recommend you try out my NewChk application, You’ll be able to see all your session variables with one call. Happy coding.