What does the PHP function session_start

XCV. Session functions

The support of sessions in PHP offers the possibility to record certain data during a sequence of visits to your website. This allows you to create more personal applications and make your website more appealing.

When you visit your website, a visitor is assigned a unique ID, the so-called session ID. This is either stored in a cookie by the user or transmitted in the URL.

The support of sessions allows you to register any number of variables and get them across requests. When a visitor visits your website, PHP checks automatically (if session.auto_start is set to 1) or on request (explicitly through session_start () or implicitly by session_register ()), whether a certain session ID has already been sent with the request. If so, the previously saved environment will be restored.


If you activate session.auto_start, you cannot add any objects to your session because the definition of the class must be loaded before the session starts in order for the objects to be restored in your session.

All registered variables are serialized after the request is finished. Registered variables that are not defined are marked as not defined. They are not defined by the session module for subsequent accesses either, unless the user defines them later.

Annotation: The handling of sessions was introduced in PHP 4.0.

Annotation: When working with sessions, please note that the data record of a session is not created before a variable with the function session_register () register or add a new key to the superglobal array. This also applies if a session with the function session_start () started.

External links: Session fixation

The session module does not guarantee that information you save in a session can only be seen by the user who created the session. You must take additional measures to protect the integrity of the session appropriately and actively according to its importance.

Assess the importance of the data that is transported in your sessions and take additional protective measures - you usually pay for it with a lower user-friendliness. For example, if you want to protect users from simple social engineering tactics (translator's note: techniques for exploiting human weaknesses), you have to activate it. Cookies must then be activated by the user in any case, otherwise sessions will not work.

There are several ways in which a session ID can be passed on to third parties. A hijacked session ID enables them to access all data associated with this session ID. First, these are URLs that contain session IDs. If you refer to an external site, the URL including the session ID could be saved in the referrer logs of the external site. Second, a more active attacker can eavesdrop on your network traffic. If your network traffic is not encrypted, session IDs are transmitted over the network in clear text. Here the solution is to implement SSL on your server and make it mandatory for your users to use it.

This extension does not require any external libraries to be created.

Annotation: Optionally, you can use the shared memory allocation (mm) developed by Ralf S. Engelschall for storing sessions. To do this, you need to download and install mm. This option is not available for Windows platforms. Note that the session storage module for mm does not guarantee that simultaneous access to the same session is properly blocked. Using a file system based on shared memory (such as tmpfs on Solaris / Linux or / dev / md on BSD) might be more suitable for storing sessions in files because they are locked accordingly.

Session support is enabled by default in PHP. If you want to build your PHP without the support of sessions, you have to specify the option during configuration. To use shared memory allocation (mm) for storing sessions, you must configure PHP with the option.

The windows version of has built in support for this extension. You do not need to load any additional extension in order to use these functions.

Annotation: By default, all data belonging to a specific session are saved in a file that is located in the directory specified by the INI option session.save_path. A data file is generated for each session (regardless of whether it contains any data at all). This is because a session is opened (a file is created) with no data ever written to that file. Note that this behavior is a side effect of the limitations of working with the file system and that with a custom session storage feature (such as one that uses a database) it is possible not to keep track of sessions when they does not contain any data.

The behavior of these functions is determined by the settings in the.

Table 1. Session configuration options

descriptionBasic settingChangeable
session.save_path"/ tmp"PHP_INI_ALL
session.use_trans_sid"0"PHP_INI_SYSTEM | PHP_INI_PERDIR
url_rewriter.tags"a = href, area = href, frame = src, input = src, form = fakeentry"PHP_INI_ALL
For more details and the definition of the PHP_INI _ * constants, see ini_set ().

The session management system supports a number of configuration options that you can set in yours. We will give you a brief overview of this.


defines the name of the procedure used to save and retrieve the data associated with the session. Basic setting. See also session_set_save_handler ().


defines the argument passed to the storage procedure. If you choose the standard files procedure, this is the path under which the files will be created. Basic setting. See also session_save_path ().

There is an optional argument N for this directive, which determines the number of directory levels over which your session files will be distributed. If it is set to, for example, this can cause the creation of a session file and storage location such as. In order to be able to use N, you have to create all of these directories beforehand. There is a small shell script called in for this purpose. Note that automatic garbage collection will not be performed if N is used and is greater than 0 (see a copy of the for more information). When using N, make sure that you put between quotation marks because the separator () is also used for comments.


If you have selected a directory for which everyone has read access, as is the case with / tmp (default setting), other server users could hijack your sessions with the help of the file list in this directory.

Annotation: Windows users need to change this variable in order to use PHP's session functions. Make sure you have given a valid path, e.g.


specifies the name of the session to be used as the cookie name. Basic setting. See also session_name ().


specifies whether the session module automatically starts a session at the beginning of a request. Basic setting (deactivated).


defines the name of the procedure used to serialize / deserialize data. An internal PHP format (name) and WDDX (name) are currently supported. WDDX is only available if PHP was compiled with WDDX support. Basic setting.


specifies the percentage probability that the gc (garbage collection) routine will be started with each request. Basic setting.


specifies the number of seconds after which data is considered 'garbage' and disposed of.

Annotation: If you use the standard file-based session procedure, your file system must keep track of the access times (atime). Windows FAT doesn't do this. You will therefore need to come up with another way of doing the 'garbage disposal' of your session if you are bound to a FAT file system or any other file system that does not provide atime control.


contains the character string for which you want to check every HTTP referrer. If the referer was sent by the client and the character string was not found, the embedded session ID is marked as invalid. The basic setting is an empty string.


Specifies the path to an external source (file) that is used as an additional source of entropy when generating a session ID. Examples are or that are available on many Unix systems.


specifies the number of bytes to be read from the file specified above. Basic setting (deactivated).


specifies whether the module uses cookies to save the session ID on the client side. Basic setting (activated).


specifies whether the module just Cookies are used to save the session ID on the client side. Basic setting (deactivated, for backwards compatibility). Activating this setting prevents possible attacks through the transmission of session IDs in URLs. This setting was added in 4.3.0.


specifies the cookie lifespan that is sent to the browser in seconds. The value 0 means "until the browser is closed." Basic setting. See also session_get_cookie_params () and session_set_cookie_params ().


specifies the path in which the session cookie is set. Basic setting. See also session_get_cookie_params () and session_set_cookie_params ().


specifies the domain under which the session cookie is set. In the basic setting none at all. See also session_get_cookie_params () and session_set_cookie_params ().


specifies whether cookies should only be sent over secure connections. Basic setting. This setting was added in 4.0.4. See also session_get_cookie_params () and session_set_cookie_params ().


specifies the cache management method used for session pages (none / nocache / private / private_no_expire / public). Basic setting. See also session_cache_limiter ().


specifies in minutes how long session pages remain in the cache. This information has no effect with nocache. Basic setting. See also session_cache_expire ().


determines whether transparent SID support is activated or not. Basic setting (deactivated).

Annotation: In PHP 4.1.2 or below, compiling with activated. As of PHP 4.2.0, the trans-sid feature is always compiled in.

URL-based session management has additional security risks compared to cookie-based session management. For example, users can email a URL that contains an active session ID to friends or save it in their bookmarks and always access your site with the same session ID.


PHP versions up to 4.2.0 have an undocumented function / bug that allows you to initialize a session variable in the global area even though register_globals is disabled. From version 4.3.0 PHP issues a warning when using this function if session.bug_compat_warn is also activated.


PHP versions up to 4.2.0 have an undocumented function / bug that allows you to initialize a session variable in the global area even though register_globals is disabled. From version 4.3.0 PHP issues a warning when using this function if both session.bug_compat_42 and session.bug_compat_warn are activated.


Determines, if support for transparent SID is enabled, which HTML tags are rewritten to include the session ID. Basic setting

Annotation: If you want to be XHTML-compliant, you have to remove the entry and put your form fields between lt; fieldset> tags.

The configuration settings of and affect how the session variables are saved and restored.

Annotation: Since PHP 4.0.3 is always activated.

This extension does not define any resource types.

The following constants are defined by this extension and are only available if the extension was either statically compiled in PHP or dynamically loaded at runtime.


Constant that either contains the name and the ID of the session in the form or an empty string if the session ID was set in a corresponding cookie.

Annotation: As of PHP 4.1.0, like, and so on, is available as a global variable. In contrast to is always global. So you don't need the keyword for global to use. Please note that it is used everywhere in this documentation. You can replace with if you prefer the latter. Also note that you are using your session with session_start () must start before it can be used.

The same restrictions apply to the keys of the associative array as to the names of regular variables in PHP, i.e. they must not begin with a number, but must begin with a letter or an underscore. For more details, see the Variables section.

If register_globals is deactivated, only parts of the global associative array can be registered as session variables. Restored session variables are only available in the array.

To improve the security and readability of the code, the use of (or with PHP 4.0.6 or lower) is recommended. With become the functions session_register (), session_unregister () and session_is_registered () not required. The session variables can be accessed like any normal variable.

Example 1. Registering a variable with.

Example 2. Unregistering a variable with and deactivated register_globals.


DO NOT unregister all of them as this would disable the superglobals from registering variables.

Example 3. Unregistering a variable with register_globals enabled after registering it using.

If register_globals is activated, every global variable can be registered as a session variable. When a session is restarted, these variables are restored as corresponding global variables. Since PHP needs to know which global variables are registered as session variables, the user needs to use variables with the session_register () to register. You can avoid that by just putting entries in.

Example 4. Registration of a variable with activated register_globals

If register_globals is activated, the global variables and the entries of automatically reference the same values ‚Äč‚Äčthat were registered in the previous instance of the session.

There is a bug in PHP 4.2.3 and earlier versions. When you create a new session variable using session_register () register, reference the entry in the global area and the entry to the next session_start () not the same value. This means that a change to the newly registered global variable is not reflected in the entry. This was corrected in PHP 4.3.

There are two methods of transmitting a session ID:

  • Cookies

  • URL parameters

The session module supports both methods. Cookies are ideal, but since they are not always available, we also offer an alternative. The second method attaches the session ID directly to the URLs.

PHP is able to convert links transparently. If you are not using PHP 4.2 or higher, you have to activate this manually when compiling PHP. On UNIX you have to configure with Call --enable-trans-sid. If this option and the runtime option are activated, relative URIs are automatically changed to contain the session ID.

Annotation: The statement arg_separator.output allows you to adjust the separation of arguments. Look there for full XHTML compliance & amp; at.

Alternatively, you can use the constant that is always defined. If the client has not sent a suitable session cookie, it has the form. Otherwise it will be expanded to an empty string. Because of this, you can unconditionally embed them in URLs.

The following example demonstrates how to register a variable and how to correctly reference another page using a SID.

Example 5. Counting the number of impressions made by a single user

The function strip_tags () is used to prevent XSS-like attacks when the SID is issued.

The output of the SID shown above is not necessary if PHP is using --enable-trans-sid has been compiled.

Annotation: In the case of non-relative URLs it is assumed that they point to external pages and therefore no SID is appended because it would be a security risk to transmit the SID to another server.

If you want to implement storage in a database or any other type of storage, you can session_set_save_handler () use to create a range of custom memory functions.