DEV Community

Cover image for PHP Session in Depth
Ahmed Raza Idrisi
Ahmed Raza Idrisi

Posted on

PHP Session in Depth

🔹 What is a Session in PHP?

A session is a way to store user-specific data (like login status, cart items, preferences) across multiple page requests.

Unlike variables in PHP which are lost when the script ends, session data persists as long as the user is active.

🔹 How a PHP Session Works (Flow)

Session Initialization

When you call:

session_start();

Enter fullscreen mode Exit fullscreen mode

PHP checks:

If the browser already sent a session identifier (session ID) in the request.

If not, PHP creates a new session (a file on the server, usually in /tmp or the directory defined by session.save_path).

Session ID Generation

PHP generates a unique ID (usually a long random string, e.g., 3cb3b25e0a6b8f9c0d7...).

This ID is how PHP knows which session file belongs to which user.

Storing Session Data

You assign session data like:

$_SESSION['user'] = 'Ahmed';
$_SESSION['role'] = 'Admin';

Enter fullscreen mode Exit fullscreen mode

PHP writes this data into a server-side file (like /tmp/sess_3cb3b25e0a6b8f9c0d7).

Example file content:

user|s:5:"Ahmed";role|s:5:"Admin";

Enter fullscreen mode Exit fullscreen mode

Communicating with the Browser

The browser never stores the actual session data (for security).

Instead, PHP sets a cookie on the browser with the session ID:

Set-Cookie: PHPSESSID=3cb3b25e0a6b8f9c0d7; path=/; HttpOnly

Enter fullscreen mode Exit fullscreen mode

On each subsequent request, the browser automatically sends this cookie back:

Cookie: PHPSESSID=3cb3b25e0a6b8f9c0d7

Enter fullscreen mode Exit fullscreen mode

Session Retrieval

When PHP gets a request with PHPSESSID, it:

Looks for the corresponding session file.

Loads and unserializes it into the $_SESSION array.

Now you can access the stored values.

Session Destruction

When you call:

session_destroy();

Enter fullscreen mode Exit fullscreen mode

PHP deletes the session file on the server.

You can also manually unset variables:

unset($_SESSION['user']);

Enter fullscreen mode Exit fullscreen mode

🔹 Role of Cookies in Sessions

By default, PHP sessions rely on cookies to store the session ID.

This is why if a user disables cookies, the session won’t work unless you pass the session ID in the URL (not recommended, insecure).

Example with cookies:

Browser sends:

Cookie: PHPSESSID=3cb3b25e0a6b8f9c0d7

Enter fullscreen mode Exit fullscreen mode

PHP finds sess_3cb3b25e0a6b8f9c0d7 file → loads session data.

🔹 Where Sessions are Stored (Server Side)

Default: /tmp folder (Linux) or C:\Windows\Temp (Windows).

File format: sess_

Location can be changed in php.ini:

session.save_path = "/var/lib/php/sessions"

Enter fullscreen mode Exit fullscreen mode

🔹 Security Considerations

HttpOnly Cookie

Prevents JavaScript from accessing the session ID.

Secure Flag

If using HTTPS, always set:

ini_set('session.cookie_secure', 1);

Enter fullscreen mode Exit fullscreen mode

Regenerate Session ID

To prevent session fixation:

session_regenerate_id(true);

Enter fullscreen mode Exit fullscreen mode

Session Hijacking Risk
If an attacker steals the session ID, they can impersonate the user. That’s why proper session handling and regeneration are critical.

Simple Example

// page1.php
session_start();
$_SESSION['user'] = 'Ahmed';
echo "Session started for user Ahmed!";


Enter fullscreen mode Exit fullscreen mode
// page2.php
session_start();
echo "Welcome back, " . $_SESSION['user'];

Enter fullscreen mode Exit fullscreen mode

Browser Flow:

User opens page1.php

Server creates session file with user=Ahmed.

Sends Set-Cookie: PHPSESSID=xxxx.

User opens page2.php

Browser sends Cookie: PHPSESSID=xxxx.

Server retrieves session file, loads user=Ahmed.

✅ Summary in Simple Words:

Server stores your actual session data.

Browser only stores a reference key (session ID) in a cookie.

On each request, PHP uses that session ID to find your data on the server.

Top comments (1)

Collapse
 
mevdschee profile image
Maurits van der Schee

Nice article, thank you. Note that you can store sessions in Memcache or Redis too. See: tqdev.com/2025-storing-php-session...