Posted by: phillipnb | June 1, 2013

PHP – Sessions and Cookies

When talking about PHP and Web, we definitely have to talk about sessions and cookies. People often confuse sessions with cookies though these two things are different just like apples and oranges.

Sessions in PHP
Sessions in PHP are used to store information for a user session. The information stored in this way is temporary and will be deleted once the user leaves the website. This temporary information is saved on the file system on the server side.

We can start a session by using session_start(). To save a temporary data, we can do something like this: $_SESSION[‘views’] = ‘hello’; To remove this information, a better way will be unset($_SESSION[‘views’]). We can also use session_unset(). session_unset() clears the session for further use but we can completely destroy this session by calling session_destroy().

Cookies in PHP
Using cookies is another way by which the server identifies a user. A cookie is a small file that the server downloads to the user’s computer. According to the PHP manual, cookie is a mechanism for storing data in the remote browser and thus identify a user.

You can set a cookie by:
We can retrieve a cookie by using: echo $_COOKIE[“user”]; We can remove(delete) a cookie by using unset() or by setting the value to NULL.e.g.

unset($_COOKIE[“user”]); OR


To clear a cookie from the browser we need to tell the browser that the cookie has expired and the browser will then remove it. This can be achieved by setting the cookie to expire in the past.

According to PHP, “Cookies must be deleted with the same parameters as they were set with. If the value argument is an empty string, or FALSE, and all other arguments match a previous call to setcookie, then that cookie with the specified name will be deleted from the remote client. Because setting a cookie with a value of FALSE will try to delete the cookie, it is better to avoid using boolean values. Instead, use 0 for FALSE and 1 for TRUE. When deleting a cookie we should assure that the expiration date is in the past, to trigger the removal mechanism in the browser”.

The cookie named PHPSESSID is created automatically by PHP for each user session and remains alive (or active) until browser is closed. One way to remove this cookie from a browser like Firefox is to go to Edit->Preferences->Privacy->Cookies->View Cookies, select the PHPSESSID cookie and click Remove Cookie. Another way will be:

The PHPSESSID will show up with the URL due to the php settings in php.ini. We can turn this off. In php.ini there is a setting for enabling auto-session_id. If we enable it then we will have PHPSESSID in our cookies. If cookies are enabled then PHP uses them to track sessions. If cookies are disabled then PHP uses URL to keep track of sessions. From a security point of view, it is better to enable cookies (session.use_cookies=1 in php.ini) than to use URL.

That is all about cookies and sessions in php. Go ahead and use sessions and cookies!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: