What Is PHP Session_Start()

PHP session_start() function: Why I need it everytime I use anything related to PHP sessions

session_destroy() destroys the active session. If you do not initialized the session, there will be nothing to be destroyed.

What is PHP session_start()

The PHP session system lets you store securely data in the $_SESSION global array. A typical example is to store the user's identifier in the session when they type in their password:

if ($user = try_login($login, $password)) 
  $_SESSION['user'] = $user;

Then, you can access that information on all other pages:

if (isset($_SESSION['user']))
  // logged in !
  echo user_name($_SESSION['user']);

The data is stored on the server, so there is no risk of tampering (on the other hand, mind your disk usage).

Starting the session lets the current request use $_SESSION. If this is the user's first visit, the array will be empty and a new session cookie will be sent for you.

Closing the session merely prevents the current request from using $_SESSION, but the data stays around for the next requests.

Destroying the session throws away all the data, forever. The sessions are destroyed a certain duration after the last visit (usually around 30 minutes).

PHP session, why is session_start() required multiple times?

From php.net:

session_start() creates a session or resumes the current one based on
a session identifier passed via a GET or POST request, or passed via a
cookie.

When session_start() is called or when a session auto starts, PHP will
call the open and read session save handlers.

In other words, session_start() does not only create a session when a session does not exists yet, but it also makes it possible for a script to access the current session. It gives read and write access to the $_SESSION variable.

Without session_start, the script cannot write or read from the session, the session is still there but it cannot be read or modified by the script. If you only want to give read access to a session you can call session_write_close(); to close the write access. This can be handy when you want multiple files to open the same session at the same time. When a script has write access it blocks the current session file, blocking all other scripts that want write access to the same session.

If you are lazy and always want a session to be active, you can write

php_flag session.auto_start 1

in a .htaccess file to enable the auto start of a session in php.

When and where should I use session_start?

As others have said, the absolute requirements of what you must do are:

• You must run session_start before you read or write to $_SESSION (otherwise it will just be an ordinary array and not saved anywhere).
• You must not run session_start twice during a single script execution (page load) unless you use session_write_close to close it in between.

There is an extra rule that technically has exceptions, but is best treated as absolute:

• Do not start the session after you have written any output (echo, HTML outside PHP blocks, etc), because PHP may not be able to send cookies to the browser if the server has already started sending the content.

There are two reasons you might want to avoid starting the session:

• PHP locks the session when you open it to avoid two processes writing conflicting data into it, so if you have several requests happening at once, you want to avoid them waiting for each other unless they really need to. For instance, if you're responding to an AJAX request, and don't need any data from the session, don't open it.
• As mentioned by symcbean, there is some cost to creating a new session, so if your site is busy with either legitimate or malicious traffic, you might want to serve some landing pages or error messages without starting it at all.

After that, it becomes a matter of style and architecture, but the rule of thumb that covers most of the above is "as soon as possible, if you're sure the page needs it".

PHP: session_start() called 'simultaneously' in multiple tabs creates multiple sessions

The best solution I could come up with was to move the session "creation" (i.e., setting session variables) into the ajax.php file, executed only after a user has successfully sent their uname/pwd and so they are about to be redirected to a new page anyway (i.e., welcome.php). This means that login.php cannot be guaranteed to have access to any session variables set by ajax.php whatsoever, so it's just a dumb page that relies solely on its ajax calls to know what's going on. As it turns out, this isn't such a hassle after all.

PHP sessions and session_start()

That's may be because that you have been redirected to another site during the process. And while you return from Paypal to your website, session_start() generated a new session id which your previously stored session variables are not linked to.

And when you removed session_start() (I don't think session should work without this on top), it used the old session id and never got regenerated. Hence, old session data are back!

This is just my assumption.

How does session_start know, whether to resume or start the session?

If you view your cookies, there should be a PHPSESSID cookie that will contain a random string, which PHP uses to identify a session. If it doesn't exist, it will create a new one and set that cookie (providing it is able to do so, i.e. headers aren't sent yet amongst other things). Try doing a var_dump($_COOKIE); on try.php.

---

Related Topics