🔹 What is a Session in PHP?
A session is a way to store user-specific data (like login status, cart items, preferences) across multiple page requests.
Unlike variables in PHP which are lost when the script ends, session data persists as long as the user is active.
🔹 How a PHP Session Works (Flow)
Session Initialization
When you call:
session_start();
PHP checks:
If the browser already sent a session identifier (session ID) in the request.
If not, PHP creates a new session (a file on the server, usually in /tmp or the directory defined by session.save_path).
Session ID Generation
PHP generates a unique ID (usually a long random string, e.g., 3cb3b25e0a6b8f9c0d7...).
This ID is how PHP knows which session file belongs to which user.
Storing Session Data
You assign session data like:
$_SESSION['user'] = 'Ahmed';
$_SESSION['role'] = 'Admin';
PHP writes this data into a server-side file (like /tmp/sess_3cb3b25e0a6b8f9c0d7).
Example file content:
user|s:5:"Ahmed";role|s:5:"Admin";
Communicating with the Browser
The browser never stores the actual session data (for security).
Instead, PHP sets a cookie on the browser with the session ID:
Set-Cookie: PHPSESSID=3cb3b25e0a6b8f9c0d7; path=/; HttpOnly
On each subsequent request, the browser automatically sends this cookie back:
Cookie: PHPSESSID=3cb3b25e0a6b8f9c0d7
Session Retrieval
When PHP gets a request with PHPSESSID, it:
Looks for the corresponding session file.
Loads and unserializes it into the $_SESSION array.
Now you can access the stored values.
Session Destruction
When you call:
session_destroy();
PHP deletes the session file on the server.
You can also manually unset variables:
unset($_SESSION['user']);
🔹 Role of Cookies in Sessions
By default, PHP sessions rely on cookies to store the session ID.
This is why if a user disables cookies, the session won’t work unless you pass the session ID in the URL (not recommended, insecure).
Example with cookies:
Browser sends:
Cookie: PHPSESSID=3cb3b25e0a6b8f9c0d7
PHP finds sess_3cb3b25e0a6b8f9c0d7 file → loads session data.
🔹 Where Sessions are Stored (Server Side)
Default: /tmp folder (Linux) or C:\Windows\Temp (Windows).
File format: sess_
Location can be changed in php.ini:
session.save_path = "/var/lib/php/sessions"
🔹 Security Considerations
HttpOnly Cookie
Prevents JavaScript from accessing the session ID.
Secure Flag
If using HTTPS, always set:
ini_set('session.cookie_secure', 1);
Regenerate Session ID
To prevent session fixation:
session_regenerate_id(true);
Session Hijacking Risk
If an attacker steals the session ID, they can impersonate the user. That’s why proper session handling and regeneration are critical.
Simple Example
// page1.php
session_start();
$_SESSION['user'] = 'Ahmed';
echo "Session started for user Ahmed!";
// page2.php
session_start();
echo "Welcome back, " . $_SESSION['user'];
Browser Flow:
User opens page1.php
Server creates session file with user=Ahmed.
Sends Set-Cookie: PHPSESSID=xxxx.
User opens page2.php
Browser sends Cookie: PHPSESSID=xxxx.
Server retrieves session file, loads user=Ahmed.
✅ Summary in Simple Words:
Server stores your actual session data.
Browser only stores a reference key (session ID) in a cookie.
On each request, PHP uses that session ID to find your data on the server.
Top comments (1)
Nice article, thank you. Note that you can store sessions in Memcache or Redis too. See: tqdev.com/2025-storing-php-session...