Page 320 - Beginning PHP 5.3
P. 320
Part III: Using PHP in Practice
You can see from this example that cookies are a convenient way to store small amounts of data on a
semi - permanent basis. Because the cookies are stored in the browser, you don ’ t have to worry about
sending the data to the browser each time a page is viewed. You just set the cookies once then read
their values later as needed.
Using PHP Sessions to Store Data
Although cookies are a useful way to store data, they have a couple of problems. First of all, they aren ’ t
very secure. As with form data and query strings, an attacker can easily modify a cookie ’ s contents to
insert data that could potentially break your application or compromise security. Secondly, although you
can store a fair amount of state information in a cookie, remember that all the cookie data for a Web site
is sent every time the browser requests a URL on the server. If you have stored 10 cookies, each 4KB in
size, on the browser, then the browser needs to upload 40KB of data each time the user views a page!
Both of these issues can be overcome by using PHP sessions. Rather than storing data in the browser, a
PHP session stores data on the server, and associates a short session ID string (known as SID) with that
data. The PHP engine then sends a cookie containing the SID to the browser to store. Then, when the
browser requests a URL on the Web site, it sends the SID cookie back to the server, allowing PHP to
retrieve the session data and make it accessible to your script.
The session IDs generated by PHP are unique, random, and almost impossible to guess, making it very
hard for an attacker to access or change the session data. Furthermore, because the session data is stored
on the server, it doesn ’ t have to be sent with each browser request. This allows you to store a lot more
data in a session than you can in a cookie.
By default, PHP stores each session ’ s data in a temporary file on the server. The location of the
temporary files are specified by the session.save_path directive in the PHP configuration file. You
can display this value with:
echo ini_get( “session.save_path” );
The session files are often stored in /tmp on UNIX or Linux systems, and C:\WINDOWS\Temp on
Windows systems.
ini_get() lets you access the value of most PHP configuration directives, and ini_set() lets you
set directives. You find out more about ini_set() later in the chapter.
Although you can store a fair amount of data in a session, keep in mind that sessions are really only designed
to store temporary data relating to the user ’ s current interaction with your Web site. In fact, by default, PHP ’ s
session cookies are set to expire when the browser is closed. If you need to store data on a more permanent
basis, consider storing it in files (see the next chapter) or a database (see Chapters 12 through 14 ).
Creating a Session
Sessions in PHP are very easy to create. To start a PHP session in your script, simply call the session_
start() function. If this is a new session, this function generates a unique SID for the session and sends it
282
9/21/09 9:05:13 AM
c10.indd 282
c10.indd 282 9/21/09 9:05:13 AM
