session_start() / $_SESSION / session_destroy() Since: PHP 4(2000)
Starts a session and stores per-user data on the server. Use it when you need to persist data across pages, such as managing login state or a shopping cart.
Syntax
// Start a session. session_start($options); // Store and retrieve session variables. $_SESSION['key'] = $value; // Destroy the session. session_destroy(); // Regenerate the session ID. session_regenerate_id($delete_old_session); // Get or set the session ID. session_id($id); // Set session cookie parameters. session_set_cookie_params($options);
Function List
| Function | Description |
|---|---|
| session_start($options) | Starts a session. Does nothing if a session is already active. You can pass options such as cookie_lifetime and cookie_secure as an associative array. |
| $_SESSION | A superglobal array that stores session variables. Values saved to this array are available on the next request from the same user. |
| session_destroy() | Destroys all data associated with the current session. Because session variables are not cleared immediately, also set $_SESSION = [] to empty the array. |
| session_regenerate_id($delete_old) | Generates a new session ID. Pass true to also delete the old session file. |
| session_id($id) | Returns the current session ID when called with no argument. Pass a string to set the session ID. |
| session_set_cookie_params($options) | Sets the session cookie parameters. Must be called before session_start(). |
Sample Code
<?php
// Start the session. Call this at the top of every page.
session_start();
// Store data in session variables.
$_SESSION['username'] = 'John Doe';
$_SESSION['login_time'] = time();
echo $_SESSION['username']; // Outputs 'John Doe'.
// Check whether a session variable exists.
if (isset($_SESSION['username'])) {
echo "Logged in as: " . $_SESSION['username'];
}
// Check the session ID.
echo session_id(); // Outputs an ID like 'abc123def456...'.
// Configure the session cookie with secure settings.
session_set_cookie_params([
'lifetime' => 0, // Valid until the browser is closed.
'path' => '/',
'domain' => '',
'secure' => true, // Send the cookie over HTTPS only.
'httponly' => true, // Prevents JavaScript from accessing the cookie.
'samesite' => 'Lax' // Sets the SameSite attribute as a CSRF countermeasure.
]);
session_start();
// Regenerate the session ID on successful login.
session_regenerate_id(true); // Also deletes the old session file.
$_SESSION['user_id'] = 1;
// Complete logout implementation.
$_SESSION = []; // Clear all session variables.
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(
session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
); // Delete the session cookie.
}
session_destroy(); // Destroy the session data.
Overview
session_start() initiates PHP's session management and reserves a per-user data area on the server. To prevent session fixation attacks, always call session_regenerate_id(true) to regenerate the session ID immediately after a successful login.
It is important to set the secure, httponly, and samesite attributes on the session cookie. Enabling httponly prevents JavaScript from accessing the cookie, which guards against session hijacking via XSS attacks.
When logging out, you must perform all three steps: clear the session variables, delete the session cookie, and destroy the session data. Calling session_destroy() alone is not enough, because the contents of $_SESSION remain in memory. For cookie operations, also see setcookie().
If you find any errors or copyright issues, please contact us.
シェアする