Appendix G: Maintaining state with sessions

The HTTP protocol used by the internet is by nature a stateless protocol, which means that after an HTTP request is received and a response is generated the process which generated that response is released. When a subsequent request is received from the same client there is no memory of any previous request, so there is no 'state' maintained between requests. This is because a child process generated by the web server is not tied to any particular client, so after dealing with a request from one client it may deal with many requests from many other clients. A subsequent request from the same client may then be given to a different process, so any 'state' maintained by the previous process would be inaccessible.

The PHP language has a standard method to deal with this called sessions whose workings can be summarised as follows:

• Each collection of session data is held under a different session id.
• The default location for this session data is the folder specified by the session_save_path() function, but session control can be handed over to a user-defined handler by using the session_set_save_handler() function. This may then hold all session data in a database table instead of a disk file.
• Each script that requires access to session data should contain a call to the session_start() function. This will look for a session id which points to an existing session, but if one is not found it will create a new one.
• With each script session data is made available in the $_SESSION superglobal which is an associative array. Any changes made to this array will be automatically saved when the script terminates.
• The default place to hold the session id is within a session cookie which exists within memory and only for the lifetime of a browser session. This means that when the user terminates his browser session all session cookies will disappear, which means that all links to the PHP session on the server are terminated.
• The session cookie will contain the entry <session_name>=<session_id> where:
  • <session_name> is the session name. This defaults to PHPSESSID but can be changed using the session_name() function.
  • <session_id> is a unique string containing 32 random characters.
• You should also be aware that it is possible for a user to create multiple browser instances on his client device. These will all share the same session cookie, the same session name, the same session id and therefore the same session data. This is discussed further in Appendix H.

The $_SESSION superglobal is an associative array, which means that it can hold any number of name=value pairs. It is also possible for this to be a multi-dimensional array by specifying value as an array instead of a single value. By using this feature I can maintain a different set of variables for each script in a $script_vars array, and by writing them to the $_SESSION array as <script_id>=$script_vars I can keep the session data for each script totally separate from other scripts within the same session.

More information on this topic can be found in Working with a stateless protocol.