picture of Mattias Nilsson
One of the new great features with PHP4 is the session management feature. It allows you to store variables in a session 'object' during a user visit. I used this feature recently while re-making my swedish community website (http://coolt.nu/) and thought I'd share some of the experience I gained from that.

What is a Session?

First off I'd like to explain what a session is, in case you don't know what it is. A session begins when a user surfs into your website and ends when the user leaves your website (or one of your webpages terminates it explicitly). Essentially, a cookie is associated with a browser, and some kind of storage resource is allocated on the server to hold session variables. PHP4 uses files to store session variables, but one could theoretically use a database or shared memory to do the same.
All pages that uses PHP4 sessions must call the function session_start() to tell the PHP4 engine to load session related information into memory. The session_start() function tries to find the session id in the cookie field or the request parameters for the current HTTP request. If it cannot find the session id, a new session is created.

What is a Session Variable?

A session variable is a regular global variable that, when registered as a session variable, keeps its value on all pages that use PHP4 sessions. To register a session variable, assign a value to a variable that is to become a session variable and call session_register("variable_name"). On all subsequent pages that uses sessions (by calling session_start()), the variable variable_name will have the value assigned to it before it was registered as a session variable. Changes to the variable value will be automatically registered in the session and saved for further reference.

So, What Does This Do For Me?

Legitimate question. There are too many ways to use session management and session variables to include them all here, but I'll give you an example. Say you're building a community site, like I've been doing, you might want to keep the name of the currently authenticated user and perhaps how many new messages he's got. In order to keep the load off the database you're using, you want to cache the number of messages. You could do this two ways;
  1. You could use three cookies:
    • authenticated_user - The currently authenticated username (or id)
    • num_messages - The number of messages he's got
    • expire_time - When to recache the number of messages
  2. Use sessions and register three session variables.
The first method limits security, someone can fake the cookies and virtually get access to another user's account. It's messy because of all the Header() calls you need to do, it's overall ugly, and you might get inconsistent data in case the user refuses to accept one of the cookies.
With sessions, the user only has to accept one cookie, you keep much better consistency in your data and you get a bit more security.

Drawbacks

Session gives you freedom, flexibility and functionality that is assiciated with any good serverside scripting language. Though, PHP4 session has a few limitations; first off all, you cannot store objects in the sessions, which would have been absolutely fantastic, just imagine storing a complete user object in the session.. Second, storing data in session variables is not very efficient because PHP4 is using files to store session information, but overall I'm very satisfied with how PHP4 session management works.
Try it out - you'll like it.