For PHP a session is the time a user spends on a site. Using PHP sessions allows you to store and access data across their visit to any pages on the site. For example, a user could log on once and that is recorded as a session variable. Then when they visit other pages you just run a quick check to see if they are already logged on.
The first visit
Call the PHP function SESSION_START() at the beginning of any PHP page and a cookie is written to the user's machine. The cookie contains a very large random number which will be used to identify the user from now on. Nothing else is stored on the users machine.
The PHP server then creates a temporary file on it's own hard disk using the same number. In this file it can now save information about the session.
Return visits
If the session cookie already exists (it's called PHP_SESSION_ID) then the number is read from the cookie by the browser and sent to the server. The PHP server looks up the matching temporary file and gets the information from the file. You can now access that information in PHP scripts through the $_SESSION super global.
Saving data in the session file
Just use it as you would any other variable:
session_start();
$_SESSION["user"]="fred";
If you add that to a blank PHP page, upload it and load it in a browser you should find that a cookie has been created by your browser. If you have access to your servers session files you could look for the matching file. If not you could check that it worked using PRINT_R to show $_SESSION. You should see the stored user name. You could use that in IF statements or in queries for MySQL.An example of a very simple login system
To remove all data from the session file on the server use session_destroy(). This will not empty $_SESSION.
Security
Depending on configuration the session files on the server may be available to other sites (on a server which hosts more than one site). It is best not to assume the data is totally secure and to take precautions such as encryption.
Other potential problems involve the session IDs (the way the browser tells the server which session data to access). These are stored in cookies on the users machine and so anyone with access to the local files can copy the session ID and hijack the session.
A wider issue occurs if the user is attached to the Internet on an open/shared WiFi connection. A secured home network should not be a problem as the data is encrypted. However WiFi at a coffee shop or office which is used by many people will be carrying session IDs from the browser to the server and anyone who wants to can monitor the wireless traffic and pick out the session IDs. They can then use the session IDs to start up a session with the server and effectively log on to other users accounts. Some major sites have protected against this by using https on all pages but others have not. Using https on your own server is the only real security but you can also check IP addresses and/or browser strings and stop a session if the user suddenly changes IP address or browser. Most users would not find this too annoying but it is far from ideal.
