If you are recommended to learn PHP sesson, you must check PHP session 1/2.

The session is stored on the server as a text file, so the client is not afraid to modify the session content. In fact, in the session file on the server side, PHP automatically modifies the session file permissions, only retaining the system read and write permissions, and cannot be modified through FTP, which is much safer.
For cookie, if we want to verify whether the user logs in, we must save the user name and password (which may be the MD5 encrypted string) in the cookie and perform verification on each request page. If the user name and password are stored in the database, a database query is executed every time, causing extra burden on the database. Because we cannot perform only one verification. Why? Because the information in the client Cookie may be modified. If you store the $ admin variable to indicate whether the user has logged on, $ admin indicates logging on when it is set to true, and false indicates not logging on, after the first verification is passed, $ admin equals true is stored in the cookie, so no verification is required next time. Is this correct? Wrong. If someone spoofs a $ admin variable with the value true, isn't the administrator privilege immediately obtained? Very insecure.
The session is different. The session is stored on the server, and remote users cannot modify the content of the session file. Therefore, we can simply store a $ admin variable to determine whether to log on, after the first verification is passed, set $ admin to true, and then judge whether the value is true. If not, transfer it to the login interface, which can reduce a lot of database operations. In addition, it can reduce the security of passing passwords to verify cookies every time (Session verification only needs to be passed once, if you do not use the SSL Security Protocol ). Even if the password is encrypted with MD5, it is easily intercepted.
Of course, session has many advantages, such as easy control and user-defined storage (stored in the database ). I will not talk about it here.
Does session need to be set in PHP. ini? Generally, this is not required because not everyone has modified PHP. INI permission. The default session storage path is the temporary system folder of the server. We can customize it to be stored in our own folder. I will introduce it later.
This topic describes how to create a session. Very simple, really.
Start the session and create a $ admin variable:

<? PHP
// Start the session
Session_start ();
// Declare a variable named admin and assign a null value.
$ _ Session ["admin"] = NULL;
?>
If you use seesion or the PHP file needs to call the session variable, you must start the session before calling it and use the session_start () function. PHP automatically creates the session file.

After executing thisProgramYou can find the session file in the temporary folder of the system. The file name is generally sess_4c83638b3b0dbf65583181c2f89168ec, followed by a 32-bit random string. Open it in the editor and check its content:

Admin | n; The content is generally structured as follows:

Variable name | type: Length: value; separate each variable with a semicolon. Some can be omitted, such as length and type.

Let's take a look at the verification program. Assume that the database stores the user name and the MD5 encrypted password:

Login. php
<? PHP
// After the form is submitted...
$ Posts =$ _ post;
// Clear some blank symbols
Foreach ($ posts as $ key => $ value ){
$ Posts [$ key] = trim ($ value );
}
$ Password = MD5 ($ posts ["password"]);
$ Username = $ posts ["username"];

$ Query = "select 'username' from 'user' where 'Password' = '$ password' and 'username' =' $ username '";
// Obtain the query result
$ Userinfo = $ db-> getrow ($ query );

If (! Empty ($ userinfo )){
// After the verification is passed, start the session
Session_start ();
// Register the logon admin variable and assign the value true.
$ _ Session ["admin"] = true;
} Else {
Die ("incorrect user name and password ");
}
?>
We start the session on the page that requires user verification to determine whether to log on:

<? PHP
// Prevent security risks caused by global variables
$ Admin = false;
// Start the session. This step is required.
Session_start ();
// Determine whether to log on
If (isset ($ _ session ["admin"]) & $ _ session ["admin"] = true ){
Echo "you have successfully logged on ";
} Else {
// Verification Failed. Set $ _ session ["admin"] to false
$ _ Session ["admin"] = false;
Die ("You are not authorized to access ");
}
?>
Is it easy? Consider $ _ session as an array stored on the server. Every variable we register is an array key, which is no different from the array used.

What if I want to log out of the system? Destroy the session.

<? PHP
Session_start ();
// This method destroys a previously registered variable.
Unset ($ _ session ['admin']);
// This method destroys the entire session file.
Session_destroy ();
?>
Can a session set a lifecycle like a cookie? Does session discard cookies? I would like to say that using session with cookies is the most convenient.