PHP Session and Cookies with Examples
In the realm of web development, maintaining user data across multiple page requests stands as a fundamental challenge. PHP, a server-side scripting language widely used for web development, offers two primary mechanisms for state management: sessions and cookies. These tools enable developers to create personalized web experiences by preserving user data throughout a browsing session or across multiple visits. Understanding how to implement and manage these features effectively is essential for building modern, user-friendly web applications that remember user preferences, authentication status, and other critical information.
Understanding PHP Cookies
Cookies function as small pieces of data stored directly on a user’s computer. They serve as a reliable method for websites to remember valuable information about visitors, enhancing user experience across multiple page visits without requiring constant resubmission of data.
What Are Cookies in PHP
Cookies in PHP represent small text files stored on the client’s browser, enabling websites to track and remember specific user information. Unlike server-side storage solutions, cookies reside entirely on the user’s device, making them accessible across multiple visits to the same website. Developers commonly implement cookies for various purposes, including remembering login credentials, storing shopping cart contents, saving user preferences, and collecting analytics data. Each cookie contains a name-value pair and can hold up to 4KB of data, though practical limitations often suggest using them for smaller data points.
Cookie Implementation in PHP
Setting cookies in PHP utilizes the built-in setcookie() function, which must be called before any HTML output appears in your script. The basic syntax requires a name and value parameter, though additional options exist for fine-tuning cookie behavior:
setcookie(name, value, expire, path, domain, secure, httponly);Here’s a straightforward example of creating a cookie:
<?php
// Set a cookie named "username" with value "john_doe" that expires in one hour
setcookie("username", "john_doe", time() + 3600, "/");
// Check if the cookie exists before using it
if(isset($_COOKIE["username"])) {
echo "Welcome back, " . htmlspecialchars($_COOKIE["username"]);
} else {
echo "Welcome new user!";
}
?>Reading cookie values requires accessing the $_COOKIE superglobal array, which PHP automatically populates with all valid cookies sent by the client. Always validate cookie data before usage, as client-side information remains vulnerable to manipulation.
Cookie Parameters and Configuration
Properly configuring cookie parameters enhances both security and functionality:
- Expiration time: Determines how long a cookie remains valid. Setting this to a future timestamp creates persistent cookies that survive browser closure:
setcookie("persistent_pref", "dark_mode", time() + 86400 * 30, "/"); // 30 days - Path and domain restrictions: Control cookie accessibility across different directories and subdomains:
setcookie("restricted_cookie", "value", time() + 3600, "/admin/", "example.com"); - Secure and HttpOnly flags: Critical security measures that protect cookies from interception and malicious scripts:
setcookie("sensitive_data", "protected_value", time() + 3600, "/", "", true, true);
Best practices include setting the shortest practical expiration time, using path restrictions to limit cookie scope, enabling the HttpOnly flag for sensitive cookies, and implementing the Secure flag for all cookies on HTTPS-enabled sites.
Understanding PHP Sessions
While cookies store data client-side, PHP sessions provide a server-side storage mechanism that offers enhanced security and flexibility for managing user data across multiple page requests.
What Are Sessions in PHP
Sessions in PHP establish a mechanism for preserving information across multiple page requests by storing data on the server rather than the client. When a session initiates, PHP generates a unique session ID (typically a 32-character random string) that identifies the specific user. This identifier gets passed between the server and client either through a cookie (session cookie) or URL parameters. The actual session data resides securely on the server, organized in files or alternative storage systems like databases or memory caches. Sessions excel at handling sensitive information, larger data structures, and situations requiring higher security levels than cookies can provide.
Session Management in PHP
Implementing sessions in PHP begins with calling the session_start() function at the top of each script that needs access to session data:
<?php
// Initialize session
session_start();
// Store data in session variables
$_SESSION["logged_in"] = true;
$_SESSION["user_id"] = 123;
$_SESSION["username"] = "john_doe";
echo "Session data saved!";
?>To access session data on subsequent pages:
<?php
// Always start the session first
session_start();
// Check if session variables exist
if(isset($_SESSION["logged_in"]) && $_SESSION["logged_in"] === true) {
echo "Welcome back, " . htmlspecialchars($_SESSION["username"]);
echo "Your user ID is: " . $_SESSION["user_id"];
} else {
echo "Please log in to continue.";
}
?>PHP 7 and newer versions offer additional session configuration options through the session_set_cookie_params() function or directly in the php.ini file. These settings control behavior of the session cookie that carries the session ID:
<?php
// Configure session cookie parameters
session_set_cookie_params([
'lifetime' => 3600,
'path' => '/',
'domain' => '',
'secure' => true,
'httponly' => true,
'samesite' => 'Lax'
]);
// Then start the session
session_start();
?>This configuration creates a more secure session environment by protecting the session identifier cookie from JavaScript access and cross-site request forgery attacks.
Session Destruction and Expiration
Properly terminating sessions involves a two-step process to ensure complete cleanup:
<?php
// Start the session
session_start();
// Clear all session variables
$_SESSION = array();
// Delete the session cookie
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Destroy the session
session_destroy();
echo "You have been logged out successfully.";
?>Session timeout configuration occurs either through the php.ini file or using the ini_set() function:
<?php
// Set session timeout to 30 minutes of inactivity
ini_set('session.gc_maxlifetime', 1800);
session_start();
?>Implementing a custom timeout mechanism provides more precise control:
<?php
session_start();
// Check if last activity timestamp exists
if(isset($_SESSION['last_activity'])) {
// Calculate inactivity time
$inactive_time = time() - $_SESSION['last_activity'];
$timeout_duration = 1800; // 30 minutes
// If user inactive longer than timeout, destroy session
if($inactive_time >= $timeout_duration) {
session_unset();
session_destroy();
header("Location: login.php");
exit;
}
}
// Update last activity timestamp
$_SESSION['last_activity'] = time();
?>This approach enables graceful handling of session expiration by redirecting users to appropriate pages when their sessions time out.
Key Differences Between Sessions and Cookies
Understanding when to use sessions versus cookies requires examining their fundamental differences in storage, security, and implementation.
Storage Location and Security
Sessions store data on the server in files, databases, or memory caches, with only a session identifier passed to the client. This architecture significantly enhances security since sensitive information never transmits to or resides on user devices. In contrast, cookies store all data directly on the client’s browser, making them inherently less secure for sensitive information.
The security implications become particularly important when handling authentication tokens, personal information, or payment details. Sessions provide substantially better protection against data theft and manipulation since attackers cannot directly access server-side session stores even if they compromise the client system.
Size limitations also differ dramatically: cookies restrict storage to approximately 4KB per domain, while session storage capacity depends on server configuration, typically allowing much larger data structures up to several megabytes.
Accessibility and Availability
Cookie data remains available across multiple browser sessions and potentially for extended periods, depending on expiration settings. This persistence makes cookies ideal for long-term preferences like language choices or remembering returning visitors. Sessions, however, typically expire when the browser closes or after a server-defined inactivity period, making them suited for temporary data like shopping carts or login states.
Cross-domain considerations also differentiate these technologies. Cookies can be configured for access across subdomains or even different domains with proper configuration, while sessions remain confined to the originating domain. Additionally, client-side JavaScript can access regular cookies but cannot access HttpOnly cookies or server-side session data, providing another security layer.
Performance and Resource Usage
Sessions consume server resources for data storage and management, potentially impacting performance on high-traffic websites. Each active session occupies memory or disk space, and session data requires retrieval and processing with every request. Cookies, conversely, use minimal server resources since data storage and management happen entirely client-side.
Network performance considerations also favor cookies for non-sensitive data, as they reduce bandwidth usage by eliminating the need to retrieve session data from the server repeatedly. However, cookies increase the size of every HTTP request as browsers automatically send all relevant cookies with each page request.
Choose cookies for performance-critical applications with non-sensitive data requirements, and sessions for security-critical features handling sensitive information.
Practical Implementation Examples
Moving from theory to practice, these implementation examples demonstrate real-world applications of sessions and cookies in common web development scenarios.
User Authentication System
A robust user authentication system typically combines sessions for secure login state management with cookies for the “remember me” functionality:
<?php
// Database connection code here
session_start();
// Login processing
if(isset($_POST['login']) && isset($_POST['username']) && isset($_POST['password'])) {
$username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING);
$password = $_POST['password'];
$remember = isset($_POST['remember']) ? true : false;
// Verify credentials against database (using prepared statements)
$stmt = $pdo->prepare("SELECT id, username, password_hash FROM users WHERE username = ?");
$stmt->execute([$username]);
$user = $stmt->fetch();
if($user && password_verify($password, $user['password_hash'])) {
// Store user data in session
$_SESSION['user_id'] = $user['id'];
$_SESSION['username'] = $user['username'];
$_SESSION['logged_in'] = true;
$_SESSION['last_activity'] = time();
// Set remember me cookie if requested
if($remember) {
$token = bin2hex(random_bytes(32)); // Generate secure token
// Store token in database with user ID and expiration
$expiry = time() + (30 * 24 * 60 * 60); // 30 days
$stmt = $pdo->prepare("INSERT INTO auth_tokens (user_id, token, expiry) VALUES (?, ?, ?)");
$stmt->execute([$user['id'], $token, $expiry]);
// Set secure cookie with token
setcookie("remember_token", $token, $expiry, "/", "", true, true);
}
header("Location: dashboard.php");
exit;
} else {
$error = "Invalid credentials";
}
}
// Logout processing
if(isset($_GET['logout'])) {
// Clear all session variables
$_SESSION = array();
// Delete the session cookie
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000, $params["path"], $params["domain"], $params["secure"], $params["httponly"]);
}
// Delete remember me cookie
setcookie("remember_token", "", time() - 3600, "/", "", true, true);
// Destroy the session
session_destroy();
header("Location: login.php");
exit;
}
?>This implementation stores sensitive login state in server-side sessions while using an encrypted token cookie only for the “remember me” functionality, with the actual user details remaining server-side for enhanced security.
Shopping Cart Implementation
E-commerce applications often use sessions for anonymous shopping carts and cookies for persistent carts across visits:
<?php
session_start();
// Initialize cart if not exists
if(!isset($_SESSION['cart'])) {
$_SESSION['cart'] = array();
}
// Add item to cart
if(isset($_POST['add_to_cart']) && isset($_POST['product_id']) && isset($_POST['quantity'])) {
$product_id = filter_input(INPUT_POST, 'product_id', FILTER_VALIDATE_INT);
$quantity = filter_input(INPUT_POST, 'quantity', FILTER_VALIDATE_INT);
if($product_id && $quantity > 0) {
// Check if product already in cart
if(isset($_SESSION['cart'][$product_id])) {
$_SESSION['cart'][$product_id] += $quantity;
} else {
$_SESSION['cart'][$product_id] = $quantity;
}
// For persistent cart - save to cookie (only product IDs and quantities)
$cart_cookie = json_encode($_SESSION['cart']);
setcookie("saved_cart", $cart_cookie, time() + (30 * 24 * 60 * 60), "/");
}
}
// Retrieve cart from cookie if session cart is empty
if(empty($_SESSION['cart']) && isset($_COOKIE['saved_cart'])) {
$saved_cart = json_decode($_COOKIE['saved_cart'], true);
if(is_array($saved_cart)) {
$_SESSION['cart'] = $saved_cart;
}
}
// Cart expiration handling:
// Check for cart last updated time
if(!isset($_SESSION['cart_updated'])) {
$_SESSION['cart_updated'] = time();
}
// Expire cart after 7 days of inactivity
$cart_timeout = 7 * 24 * 60 * 60; // 7 days
if(time() - $_SESSION['cart_updated'] > $cart_timeout) {
$_SESSION['cart'] = array();
$_SESSION['cart_updated'] = time();
setcookie("saved_cart", "", time() - 3600, "/");
}
// Display cart contents
function display_cart() {
global $pdo;
if(empty($_SESSION['cart'])) {
echo "<p>Your cart is empty.</p>";
return;
}
echo "<table border='1'>";
echo "<tr><th>Product</th><th>Quantity</th><th>Price</th><th>Total</th></tr>";
$total = 0;
foreach($_SESSION['cart'] as $product_id => $quantity) {
// Get product details from database
$stmt = $pdo->prepare("SELECT name, price FROM products WHERE id = ?");
$stmt->execute([$product_id]);
$product = $stmt->fetch();
if($product) {
$subtotal = $quantity * $product['price'];
$total += $subtotal;
echo "<tr>";
echo "<td>" . htmlspecialchars($product['name']) . "</td>";
echo "<td>" . $quantity . "</td>";
echo "<td>$" . number_format($product['price'], 2) . "</td>";
echo "<td>$" . number_format($subtotal, 2) . "</td>";
echo "</tr>";
}
}
echo "<tr><td colspan='3'><strong>Total</strong></td><td>$" . number_format($total, 2) . "</td></tr>";
echo "</table>";
}
?>This approach provides the best of both worlds: rapid cart access through sessions while ensuring cart persistence across visits or devices through cookies, with proper expiration handling to manage abandoned carts.
User Preferences Management
Storing user interface preferences combines cookies for anonymous users with session and database storage for logged-in users:
<?php
session_start();
// Theme handling
$available_themes = ['light', 'dark', 'blue', 'high-contrast'];
$default_theme = 'light';
// Process theme change request
if(isset($_POST['set_theme']) && in_array($_POST['theme'], $available_themes)) {
$selected_theme = $_POST['theme'];
// Store theme in session for current visit
$_SESSION['user_theme'] = $selected_theme;
// Store theme in cookie for future visits (1 year expiration)
setcookie("user_theme", $selected_theme, time() + (365 * 24 * 60 * 60), "/");
// If user is logged in, also save to database
if(isset($_SESSION['user_id'])) {
$stmt = $pdo->prepare("UPDATE user_preferences SET theme = ? WHERE user_id = ?");
$stmt->execute([$selected_theme, $_SESSION['user_id']]);
}
}
// Determine which theme to use (priority: session > cookie > database > default)
$theme = $default_theme;
// Check database if user is logged in
if(isset($_SESSION['user_id'])) {
$stmt = $pdo->prepare("SELECT theme FROM user_preferences WHERE user_id = ?");
$stmt->execute([$_SESSION['user_id']]);
$db_theme = $stmt->fetchColumn();
if($db_theme && in_array($db_theme, $available_themes)) {
$theme = $db_theme;
}
}
// Cookie overrides database
if(isset($_COOKIE['user_theme']) && in_array($_COOKIE['user_theme'], $available_themes)) {
$theme = $_COOKIE['user_theme'];
}
// Session overrides cookie
if(isset($_SESSION['user_theme']) && in_array($_SESSION['user_theme'], $available_themes)) {
$theme = $_SESSION['user_theme'];
}
// Apply the theme
$theme_file = "css/" . $theme . ".css";
?>
<!DOCTYPE html>
<html>
<head>
<title>User Preferences Example</title>
<link rel="stylesheet" href="<?php echo htmlspecialchars($theme_file); ?>">
</head>
<body>
<h1>Theme Preferences</h1>
<form method="post" action="">
<label for="theme">Choose Theme:</label>
<select name="theme" id="theme">
<?php foreach($available_themes as $t): ?>
<option value="<?php echo $t; ?>" <?php if($theme == $t) echo 'selected'; ?>>
<?php echo ucfirst($t); ?> Theme
</option>
<?php endforeach; ?>
</select>
<button type="submit" name="set_theme">Save Theme</button>
</form>
<div class="content">
<h2>Content Example</h2>
<p>This content will be styled according to your selected theme preference.</p>
</div>
</body>
</html>This implementation creates a seamless preference system that works for both anonymous and authenticated users. Logged-in users benefit from preferences that follow them across devices, while all users enjoy consistent experiences through cookie-based preferences.
Security Best Practices
Implementing sessions and cookies securely requires attention to potential vulnerabilities and following established security practices.
Preventing Session Hijacking
Session hijacking occurs when attackers steal or guess valid session identifiers to impersonate legitimate users. Protect against this threat with these techniques:
<?php
// Configure secure session settings
ini_set('session.use_only_cookies', 1);
ini_set('session.use_strict_mode', 1);
ini_set('session.cookie_httponly', 1);
ini_set('session.cookie_secure', 1);
ini_set('session.cookie_samesite', 'Lax');
ini_set('session.gc_maxlifetime', 1800);
ini_set('session.use_trans_sid', 0);
// Start session
session_start();
// Regenerate session ID periodically to prevent fixation
if(!isset($_SESSION['created'])) {
$_SESSION['created'] = time();
} else if(time() - $_SESSION['created'] > 1800) {
// Regenerate session ID every 30 minutes
session_regenerate_id(true);
$_SESSION['created'] = time();
}
// Bind session to user's IP and user agent for additional security
if(!isset($_SESSION['client_fingerprint'])) {
$_SESSION['client_fingerprint'] = hash('sha256', $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']);
} else {
$fingerprint = hash('sha256', $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']);
if($_SESSION['client_fingerprint'] !== $fingerprint) {
// Potential session hijacking attempt - destroy session
session_unset();
session_destroy();
// Redirect to login page
header("Location: login.php");
exit;
}
}
?>Session regeneration prevents attackers from using stolen session IDs, while the HttpOnly flag blocks JavaScript access to session cookies. Implementing HTTPS (through the secure flag) encrypts all data transmission, including session cookies.
Cookie Security Measures
Secure cookie implementation requires several protective measures:
<?php
// Set sensitive cookie with all security flags enabled
function set_secure_cookie($name, $value, $expiry) {
// Encrypt cookie value
$encryption_key = getenv('COOKIE_ENCRYPTION_KEY'); // Stored in environment variable
$iv = random_bytes(16);
$encrypted_value = openssl_encrypt(
$value,
'AES-256-CBC',
$encryption_key,
0,
$iv
);
// Combine IV with encrypted value
$secure_value = base64_encode($iv . $encrypted_value);
// Set cookie with all security flags
setcookie(
$name,
$secure_value,
[
'expires' => $expiry,
'path' => '/',
'domain' => '',
'secure' => true,
'httponly' => true,
'samesite' => 'Lax'
]
);
}
// Usage example
set_secure_cookie('user_preference', 'dark_mode', time() + 30 * 24 * 60 * 60);
// Reading and decrypting secure cookie
function get_secure_cookie($name) {
if(!isset($_COOKIE[$name])) {
return null;
}
try {
$encryption_key = getenv('COOKIE_ENCRYPTION_KEY');
$secure_value = base64_decode($_COOKIE[$name]);
// Extract IV (first 16 bytes)
$iv = substr($secure_value, 0, 16);
$encrypted_value = substr($secure_value, 16);
// Decrypt value
$decrypted_value = openssl_decrypt(
$encrypted_value,
'AES-256-CBC',
$encryption_key,
0,
$iv
);
return $decrypted_value;
} catch(Exception $e) {
// Log error and return null on failure
error_log("Cookie decryption failed: " . $e->getMessage());
return null;
}
}
?>Encrypting cookie content protects against unauthorized reading, while the Secure flag ensures transmission only over HTTPS. The HttpOnly flag prevents JavaScript access, and SameSite restricts cross-origin cookie usage, protecting against CSRF attacks.
CSRF and XSS Protection
Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) attacks represent major threats to web applications. Implement these protective measures:
<?php
session_start();
// Generate CSRF token
function generate_csrf_token() {
if(!isset($_SESSION['csrf_token'])) {
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
}
return $_SESSION['csrf_token'];
}
// Verify CSRF token
function verify_csrf_token($token) {
if(!isset($_SESSION['csrf_token']) || $token !== $_SESSION['csrf_token']) {
http_response_code(403);
die('CSRF token validation failed');
}
return true;
}
// For forms, include CSRF token
$csrf_token = generate_csrf_token();
?>
<form method="post" action="process.php">
<input type="hidden" name="csrf_token" value="<?php echo $csrf_token; ?>">
<!-- Form fields -->
<input type="text" name="username">
<input type="submit" value="Submit">
</form>
<?php
// In the processing script:
if($_SERVER['REQUEST_METHOD'] === 'POST') {
// Verify CSRF token
verify_csrf_token($_POST['csrf_token']);
// Sanitize input to prevent XSS
$username = htmlspecialchars($_POST['username'], ENT_QUOTES, 'UTF-8');
// Process the sanitized input
echo "Hello, " . $username;
}
?>Token-based CSRF protection ensures requests originate from your website, while proper input sanitization prevents XSS attacks by escaping potentially dangerous characters. Combining these with secure cookie configurations provides comprehensive protection against common web vulnerabilities.
Common Issues and Troubleshooting
Even experienced developers encounter problems with sessions and cookies. Understanding common issues and their solutions speeds up troubleshooting.
Session Problems and Solutions
When sessions fail to function properly, check these common causes:
- Session not starting: Ensure
session_start()appears before any HTML output and no whitespace exists before the opening PHP tag. Output buffering can help if header modification is unavoidable:<?php ob_start(); // Start output buffering // Some HTML might be here session_start(); // Now works even if HTML preceded it // Rest of code ob_end_flush(); // Send buffered output ?> - Data loss between pages: Verify the session.save_path directory exists and has proper permissions. Check the value with:
<?php echo session_save_path(); ?> - Server configuration issues: Sessions might fail due to PHP configuration. Check these settings in php.ini:
session.save_path = "/path/to/session/storage" session.gc_maxlifetime = 1440 session.cookie_lifetime = 0 - PHP version incompatibilities: Session parameter handling changed in PHP 7.3. Update code like this:
// Old style (pre PHP 7.3) session_set_cookie_params(3600, '/', '', true, true); // New style (PHP 7.3+) session_set_cookie_params([ 'lifetime' => 3600, 'path' => '/', 'domain' => '', 'secure' => true, 'httponly' => true, 'samesite' => 'Lax' // PHP 7.3+ only ]);
For persistent session issues, try regenerating the session ID while preserving data:
session_start();
$old_session_data = $_SESSION; // Save data
session_regenerate_id(true); // Generate new ID, delete old session
$_SESSION = $old_session_data; // Restore dataThis approach often resolves mysterious session problems while maintaining security.
Cookie Problems and Solutions
Cookie implementation issues typically fall into these categories:
- Cookies not setting correctly: Verify cookies are set before any HTML output. Check expiration times and ensure paths are correct:
<?php // Debug cookie settings $cookie_name = "test_cookie"; $cookie_value = "test_value"; $result = setcookie($cookie_name, $cookie_value, time() + 3600, "/"); if($result) { echo "Cookie attempt successful"; } else { echo "Cookie setting failed"; } // Check headers for issues $headers = headers_list(); foreach($headers as $header) { if(strpos($header, 'Set-Cookie') !== false) { echo "Cookie header: " . htmlspecialchars($header); } } ?> - Browser cookie restrictions: Modern browsers restrict cookies in various ways. Test with these adjustments:
// Try different SameSite settings setcookie("test_cookie", "value", [ 'expires' => time() + 3600, 'path' => '/', 'samesite' => 'None', // Try 'Lax' or 'Strict' if this fails 'secure' => true // Required with SameSite=None ]); - Third-party cookie limitations: Browsers increasingly block third-party cookies. For subdomain cookies, set the domain parameter:
// For sharing cookies across subdomains setcookie("shared_cookie", "value", time() + 3600, "/", ".example.com", true, true); - Debugging techniques with browser tools: Use browser developer tools to inspect cookies:
<?php // Add debugging output for cookie troubleshooting echo "<script> console.table(document.cookie.split('; ').map(c => { const [name, value] = c.split('='); return {name, value}; })); </script>"; ?>
For persistent issues, try using JavaScript to set and verify cookies as a diagnostic step:
echo "<script>
document.cookie = 'test_js_cookie=works; path=/; max-age=3600';
setTimeout(() => {
console.log('Cookie check:', document.cookie.includes('test_js_cookie'));
}, 100);
</script>";This helps determine if the issue lies with PHP or browser settings.
Advanced Topics
Beyond the basics, several advanced session and cookie implementations exist for special requirements and high-performance applications.
Session storage alternatives offer improved performance and scalability:
<?php
// Database session handler example
ini_set('session.save_handler', 'user');
class DatabaseSessionHandler implements SessionHandlerInterface
{
private $db;
public function __construct($db) {
$this->db = $db;
}
public function open($savePath, $sessionName) {
return true;
}
public function close() {
return true;
}
public function read($id) {
$stmt = $this->db->prepare("SELECT data FROM sessions WHERE id = ?");
$stmt->execute([$id]);
$data = $stmt->fetchColumn();
return $data ?: '';
}
public function write($id, $data) {
$stmt = $this->db->prepare("REPLACE INTO sessions (id, data, last_accessed) VALUES (?, ?, NOW())");
return $stmt->execute([$id, $data]);
}
public function destroy($id) {
$stmt = $this->db->prepare("DELETE FROM sessions WHERE id = ?");
return $stmt->execute([$id]);
}
public function gc($maxlifetime) {
$stmt = $this->db->prepare("DELETE FROM sessions WHERE last_accessed < DATE_SUB(NOW(), INTERVAL ? SECOND)"); return $stmt->execute([$maxlifetime]);
}
}
// Initialize database connection
$pdo = new PDO('mysql:host=localhost;dbname=myapp', 'username', 'password');
$handler = new DatabaseSessionHandler($pdo);
// Register the handler
session_set_save_handler($handler, true);
// Now start the session
session_start();
?>Cookie-less session implementations use URL parameters instead of cookies, useful for environments where cookies are disabled:
<?php
// Enable URL-based sessions (not recommended for security-sensitive applications)
ini_set('session.use_cookies', '0');
ini_set('session.use_only_cookies', '0');
ini_set('session.use_trans_sid', '1');
session_start();
// Generate links with session ID
echo '<a href="page.php?' . SID . '">Next Page</a>';
?>Session fixation prevention requires additional security measures beyond basic configuration:
<?php
session_start();
// Force new session ID on login
function secure_session_start() {
// Start with regenerated ID
if(session_status() == PHP_SESSION_ACTIVE) {
session_regenerate_id(true);
} else {
session_start();
}
// Set session creation time
if(!isset($_SESSION['created'])) {
$_SESSION['created'] = time();
}
}
// Call this on login
secure_session_start();
?>These advanced techniques address specialized requirements for high-security or high-performance applications.
