PHP Session control: Session and Cookie details

Source: Internet
Author: User
This article mainly introduces PHP Session control: Session and Cookie details. This article describes Session and Cookie related knowledge in PHP in detail and covers a wide range of topics. For more information, see

This article mainly introduces PHP Session control: Session and Cookie details. This article describes Session and Cookie related knowledge in PHP in detail and covers a wide range of topics. For more information, see

This article introduces PHP session control, which mainly describes the following:

• Background/concept of session control
• Cookie maintenance and lifecycle (effective time)
• Session maintenance and lifecycle (recovery mechanism)
• Differences and connections between cookies and sessions
• Question 1: Why does the session become invalid after the cookie is disabled?
• Question 2: The session is lost in IE. A new sessionID is generated every time the page is refreshed (Firefox is normal)
• Simple session and cookie instances

Understand the concept of session control

To understand a concept, we need to understand its background and causes. Here we introduce the WEB environment and its HTTP protocol. Background of session control:
Anyone who has read the relevant information about the HTTP protocol will know that the HTTP protocol is a stateless protocol that allows the WEB server to communicate with the client (browser, http request data is not maintained. http requests are independent and not persistent. That is to say, HTTP does not have a built-in mechanism to maintain the state or relationship between two transactions. When a user requests a page and then requests another page, HTTP cannot tell us whether the two requests come from the same user.

This makes us feel very strange. When we shop on forums or e-commerce websites, as long as we are on this site, no matter how we jump, we can go from one page to another, websites always remember who I am, for example, telling you what you bought. How can this be done? As you may have guessed, HTTP session control is used. Track A variable on the website and associate multiple request items by tracking the variable. Different content and pages are displayed based on the authorization and user identity.

PHP Session control:

PHP session is driven by a unique session ID, which is an encrypted random number generated by PHP and stored on the client during the session lifecycle. We know that the client (that is, the browser) only saves data in cookies, so the session ID of PHP is generally stored in the cookie of the user's machine. After understanding the cookie, we know that the browser can disable the cookie, so that the session will become invalid. So there is another PHP session control mode, that is, passing session IDs in URLs. If we pay attention to it when browsing the website, some URLs have strings that look like random numbers, it is very likely that they are URL-based session control.

Here, some people may have doubts. The client only saves a session ID, so the session variables saved in session control, such as the list of items you bought during shopping, where are they stored? Obviously, session variables are used on the server, so these session variables must be stored on the server. By default, session variables are stored in common files on the server (you can also configure and use the database to save them, You can Google it). session IDs Act as a key, find the session variable corresponding to the session ID in the file where the server saves the session, such as the list of purchased items.

The entire session control process may look like this. When a user logs on to a website or browses a page for the first time, this site generates a PHP session ID and sends it to the client (browser) through cookies ). When a user clicks another page of the site, the browser starts to connect to the URL. Before connection, the browser will first search for the locally saved cookie. If there is any cookie related to the URL being connected in the cookie, it will be submitted to the server. A cookie (saved session ID) related to the URL of the website has been generated during login or the first connection, so when the user connects to the site again, the site can identify the user through this session ID, and retrieve the session variables related to this session ID from the server session file to maintain the continuity between transactions.

Next, we will understand two important concepts: cookie and session.

Cookie maintenance and lifecycle

Cookie is created on the server side and written back to the client browser. The browser receives the cookie writing instruction in the Response Header in the local Temporary Folder.

A cookie file is created, where your cookie content is saved. The cookie content is stored as a key-value pair, and both keys and values can only be strings. For example:
File: Cookie: administrator @ localhost/
Content format: voteID100101localhost/15361167667230343893360385046430343691 *

Cookie creation:

The Code is as follows:

The setcookie () function sets the cookie. The function prototype is as follows:
Setcookie (name, value, expire, path, domain );

Note: The cookie header must be sent before other headers are sent. Otherwise, it will be invalid (this is a cookie restriction, not a PHP restriction ). When sending a cookie, the cookie value is automatically URL encoded and automatically decoded when retrieved. To prevent URL encoding, use setrawcookie () instead ).

Cookie maintenance:

Coke has four identifiers: cookie name, domain, path, and secure. To change the value of this cookie in the future, you need to send another Set-cookie message header with the same Cookie name, domain, path.

To overwrite the original cookie value. However, if only one of these options is changed, a completely different cookie is created, for example, the name value is changed.

Cookie expiration time:

You can set the expiration time. If you do not set the expiration time, it is the session level, that is, closing the browser will disappear. When a cookie is created, it contains an expiration date, which is associated with a cookie identified by name-domain-path-secure. To change the expiration date of a cookie, you must specify the same combination. When changing the value of a cookie, you do not need to set the expiration date every time because it is not part of the cookie identity information. For example:

The Code is as follows:

Setcookie (vote, $ id + 1, time () + 3600*24 );
Setcookie (vote, $ id );

The expiration date on the cookie does not change because the cookie identifier is the same. In fact, only you manually change the cookie expiration date, otherwise the expiration date will not change. This means that in the same session, a session cookie can be converted into a persistent cookie (one that can exist in multiple sessions), and vice versa. To change a persistent cookie to a session cookie, you must delete this persistent cookie, this only requires you to set its expiration date to a session cookie with the same name after a certain time in the past.

Remember that the expiration date is verified based on the system time on the computer running the browser. There is no way to verify whether the system time is synchronized with the server time, so when the server time and the browser's system time are different, this setting will cause errors.

Automatic cookie deletion:

The cookie is automatically deleted by the browser. There are usually the following reasons:
Session coke (Session cookie) will be deleted at the end of the Session (closed by the browser)
Persistent cookie will be deleted when it reaches the expiration date, for example:

The Code is as follows:

Setcookie ("vote", "", time ()-3600 );

If the cookie in the browser is restricted, the cookies will be deleted to create a space for creating new cookies.

Session maintenance and lifecycle

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.