PHP Cookies and Sessions

Cookies and sessions are mechanisms to store and use information from any page on your site. A cookie is a small file kept on the client's computer that can be used to store data relating to that user.

images/articles/php/php-cookies-and-sessions.jpg

1. Cookies

Cookies achieve this by storing very small files on the user's computer. They are used to hold information that identifies the user, whether or not they are logged in, or other information the user needs to achieve their full experience with the site. Cookies can be set to expire after a fixed amount of time, or forever, by setting an expiration date far after the computer or user is likely to still be around.

For example, you could send a cookie that contains the user's name. The cookie could then be stored on the user’s computer and the next time the user visits the site, the cookie would be sent to your program, which would then present a personalized greeting.

Creating Cookies

To create a cookie, the setcookie() function is used. This function must be called before any output is sent to the browser. It has three mandatory parameters that contain the name, value, and expiration date (seconds) of the cookie.

setcookie("lastvisit", date("H:i:s"), time() + 60*60);

The value here is set with the date function, which returns a string formatted according to the specified format string. The expiration date is measured in seconds and is usually set relative to the current time in seconds retrieved through the time function. In this example, the cookie expires after one hour.

Cookie Array

Once the cookie has been set for a user, this cookie is sent along the next time that user views the page; it can then be accessed through the $_COOKIE array.

if (isset($_COOKIE['lastvisit']))
echo "Last visit: " . $_COOKIE['lastvisit'];

Deleting Cookies

A cookie can be deleted manually by re-creating that same cookie with an old expiration date. It is then removed when the browser is closed.

setcookie("lastvisit", 0, 0);

2. Sessions

Sessions allow the same storing of information, but achieve it by storing the information on the server (instead of the user's computer) for a fixed amount of time (usually up to 15 minutes unless the user stays active).

This means sessions will still work even when the user's security settings block cookies. The use of cookies can be disabled a number of ways such as the use of security software, browser settings, and ad blockers.

A session in PHP is a secure way to track a user from page to page. With a session, you can store information about users, such as their e-mail address, name, phone number, and whatever other details you have, and automatically fill in that information wherever it’s needed on the site. For example, say that on login you load the user's first name and e-mail address from your user database. You can store that information in a session, essentially hidden from the user, until you use it.

Starting a Session

To begin a session, the session_start() function is used. This function must appear before any output is sent to the web page.

<?php session_start(); ?>

The session_start() function sets a session on the client’s computer, containing an id used to associate the client with the session. If the client already has an ongoing session, the function resumes that session instead of starting a new one.

Session Array

You use session variables as you would any other variables. Sessions are stored in an array called $_SESSION. You store values just as you would with a named array in PHP. For example, you can keep track of an e-mail address and name like this:

$_SESSION[‘emailAddress’] = “me@example.com”;
$_SESSION[‘firstName’] = “Steve”;

You can also use sessions to keep track of information filled in on a web form without having to carry that information through the site in hidden form variables.

Deleting a Session

A session is guaranteed to last until the user leaves the web site. Then, the garbage collector is free to delete that session. To manually remove a session variable, the unset function can be used. For removing all session variables, there is the session_destroy function.

unset($_SESSION['views']); // destroy session variable
session_destroy(); // destroy session