«^»
5. Session handling

We may want a WWW page that can retain information from one visit to the WWW page to the next. What we can do is to indicate in the PHP script that we want to use session variables. Then, when a visitor visits our PHP script, they will be assigned a unique id called the session id. Either this can be stored in a cookie in the visitor's browser or the author of the PHP script can arrange for it to be propagated in the URL.

Suppose we want to collect the visitor's name and then greet him/her with this name whenever they visit the WWW page. So we will use a session variable to store the visitor's name. The PHP script can start by checking whether the session variable is set. If it is not set, the PHP script can display a WWW form to collect this information from the visitor. That gets us to the following code. Suppose this code is in a file called intro.php: 

0471: <?php
0472:    session_start();
0473:    if (isset($_SESSION["visitors_name"])) {
0474:       $visitors_name = $_SESSION["visitors_name"];
0475:       echo "Hello $visitors_name<br>\n";
0476:    }
0477:    else {
0478: ?>
0479:       <FORM METHOD="post"   ACTION=...">
0480:       Type in your name:
0481:       <INPUT  TYPE="text"     NAME="visitors_name"/>
0482:       <INPUT  TYPE="submit"  VALUE="Register"/>
0483:       </FORM>
0484: <?php
0485:    }
0486: ?>

The ACTION attribute in the above WWW form is incomplete. So what script do we want to execute when the visitor clicks on the Register button? What we could do is to invoke the same script provided we alter the script so that one of the first things it does is to check whether it was triggered into action by the WWW form. So, we can add some code to check whether the appropriate $_POST variable is set, and, if it is, the code can then set the session variable: 

0489:    if (isset($_POST["visitors_name"])) {
0490:       $_SESSION["visitors_name"] = $_POST["visitors_name"];

0492:    }
The resulting script is given below. It also includes some code that counts the number of times the visitor has visited this WWW page. 
0487: <?php
0488:    session_start();
0489:    if (isset($_POST["visitors_name"])) {
0490:       $_SESSION["visitors_name"] = $_POST["visitors_name"];
0491:       $_SESSION["num_visits"] = 0;
0492:    }
0493:    if (isset($_SESSION["visitors_name"])) {
0494:       $visitors_name = $_SESSION["visitors_name"];
0495:       $_SESSION["num_visits"]++;
0496:       $num_visits = $_SESSION["num_visits"];
0497:       echo "Hello $visitors_name on visit number $num_visits<br>\n";
0498:       echo "<a href=\"intro.php\">click here</a>\n";
0499:    }
0500:    else {
0501: ?>
0502:       <FORM METHOD="post"   ACTION="intro.php">
0503:       Type in your name:
0504:       <INPUT  TYPE="text"     NAME="visitors_name"/>
0505:       <INPUT  TYPE="submit"  VALUE="Register"/>
0506:       </FORM>
0507: <?php
0508:    }
0509: ?>
Go to the script at: http://www.dur.ac.uk/barry.cornelius/papers/phpintro/code/intro.php

As mentioned above, there are two ways in which a session id can be propagated. The manual says that ‘Cookies are optimal’, but because the visitor can disable support in his/her browser for cookies, PHP provides the alternative way of embedding a session id directly into a URL. The manual points out that ‘URL based session management has additional security risks compared to cookie based session management. Users may send an URL that contains an active session ID to their friends by email or users may save an URL that contains a session ID to their bookmarks and access your site with the same session id always, for example.’