About Session Management Using PHP

PHP Session Management

In a PHP website, sessions are automatically managed by PHP just by calling session_start() at the top of every script which needs access to the session, or better in an include header. However, many people don’t know what actually happens when you call session_start().

PHP sessions are handled by serializing a variable in a file, stored in the server's filesystem.

When your script is launched and it requests access to the session, PHP checks if the user passed in a cookie called PHPSESSID. If so, the UUID value in the cookie (a 32-character unique hex string) is used as the filename to look up the user’s actual session DATA from a temporary file on the server. That data is a plaintext string serialized into a format that PHP can turn back into the session array that you’re familiar with already.

First time you call session_start() and there's no PHPSESSID cookie in the user’s cookie headers, one is created for that user and the cookie is set on  their machine with an expiration time of zero (which means it persists until the window is closed). The data you put into $_SESSION is serialized and placed into the temporary session file when the script dies normally. Sessions will only fail to be written if the script comes to some catastrophic end, such as a segmentation fault.

NOTE: The serialization format PHP uses for session data is NOT the serialization format you get from the built-in serialize() function. The data that will be passed into your write() function will not be able to be parsed by any built-in function.  If you need to store your data in some other format (if you need it to be readable by another programming language, for instance) then you will have to use the existing $_SESSION array directly. This is more memory and processor intensive so it should be avoided if possible.

Now the default PHP session management functions work just fine for most uses, and there is no reason to create a custom session handler if all you have is one server with a moderate amount of traffic and session use. However, remember that session data is stored locally on your server’s hard drive. If you have more than one web server, obviously you will need to figure out another way to manage sessions so that the user’s session can be restored regardless of which web server they hit. This is where PHP’s session_set_save_handler() comes in handy.