The Web was designed for browsing documents, where each request from a web browser to a web server is independent of every other interaction. To develop applications for the Web, additional logic is required so that different requests can be related. For example, this logic is required to allow users to log in, use the gift registry application, and log out when they’re finished. In PHP, the logic is provided by the sessions library.
Sessions allow variables to be stored on the server so the variables can be restored each time a user requests a script. Consider a short example:
<?php session_start( ); if (session_is_registered("count")) { echo "Hello! You've visited {$count} times"; $count++; } else { echo "Welcome new user!"; session_register("count"); $count = 1; } ?>
When the user requests the script for the first time, a new session
is created. Then, a variable $count
is registered
and stored on the web server with its associated value of 1. When the
script is requested again, the variable is automatically restored by
the PHP engine and the count incremented. For example, on the fifth
request of the script the output is:
Hello! You've visited 5 times
With its default configuration, the sessions library relies on cookies. Cookies are strings that are passed back and forth between the web server and browser and are used in sessions to maintain a unique key. This key is used on the server to locate the variables associated with the session. If cookies are disabled or unsupported by the browser, then sessions won’t work; this problem can be solved by storing the session key in the URL, but we don’t discuss that here.
All sessions have a timeout. This means that if a user doesn’t access the server for a predetermined period, the session is destroyed. Session timeouts are necessary because there is no guarantee in a web environment that a user will log out. By default, the timeout is set to 1,440 seconds, or 24 minutes. This can be adjusted—along with other session parameters—through the php.ini configuration file that is normally stored in the directory /usr/local/lib on Unix servers.
You can also allow a user to destroy a session by adding a logout feature to an application. In our gift registry, the user can click on a Logout embedded link, which runs the following script stored in the file logout.php:
<?php // Log out of the system session_start( ); session_destroy( ); // Redirect to the confirmation page. header("Location: logout.html"); ?>
A session must be started before it can be destroyed. The script
doesn’t produce HTML output but instead makes use of
a popular web trick. The following code fragment sends an HTTP header
back to the web browser using the PHP
library header(
)
function:
// Redirect to the confirmation page. header("Location: logout.html");
The Location:
header instructs the web browser to
immediately request another resource; in this case, the
logout.html page. Therefore, when the user
clicks on the link to log out, the logout.php
script destroys the session, and the logout.html
page is displayed. We use this redirection so that if the user
reloads or refreshes the logout.html page, no
unnecessary session activity occurs. The page thanks the user for
using the application.
The header( )
function causes a very common error
in which the PHP engine complains that it cannot add header
information because the headers have already been sent.
The error occurs because the web server sends headers as soon as any HTML is output. If you leave a blank line or even a single space before the PHP start tag, the headers are sent, because these are treated as HTML (albeit not very interesting HTML).
In the gift registry application, the session variable
$user
is registered when a guest logs in, and its
value is set to his people_id
. This variable is
then used throughout the application both as the source of the
guest’s identity and to indicate that the guest is
logged in. The function logincheck(
)
is
called at the beginning of the presents.php and
action.php scripts to check if the user is
logged in:
function logincheck( ) { session_start( ); if (!session_is_registered("user")) // redirect to the login page header("Location: index.php"); }
If the user hasn’t logged on or the session has
timed-out, then the header( )
function redirects
the browser to the login page, which we discuss later in
Section 11.7.