HTTP is a stateless protocol. Which means that every request the browser makes to the server cant be identified by the server as a subsequent request of that user/IP/browser or a brand new request.
HTTP doesn’t understand who is requesting. So how do sessions manage to make HTTP look intelligent? The Answer lies in the request-response model with data.
When a normal request is made, eg my website, the minimalistic data passed by the client/browser is this
GET / HTTP/1.1 Host: ruturaj.net
The server responds by giving the output. But when a developer does a
session_start();, What actually happens is, the PHP engine sets a PHPSESSID cookie. This data is sent from the Server as
Set-Cookie header. So the response goes somewhat like this
HTTP/1.x 200 OK Date: xxxx Set-Cookie: PHPSESSID=<32charhexvalue>; expires=xxxx ...
Now considering the browser does accept the cookies, it saves the PHPSESSID cookie. Consequently the server also creates a file in the specified directory (by default on Linux as /tmp) as /tmp/sess_32charid.
Now when another request is made by the user/browser, the Cookie header is passed through the GET request back to the server, something like this…
GET /session2.php HTTP/1.1 Host: ruturaj.net Cookie: PHPSESSID=<32charid>; othercookies=othervalues;
The session2.php, for example, is setting a value of name in session, by this
$_SESSION['name'] = $name_obtained_from_somewhere;
Now as the script finishes, the script flushes all the
$_SESSION data into the /tmp/sess_32charid file associated to that session id. It saves all the data in the serialized format
Consider the browser makes another request to session3.php where
$_SESSION['name'] is echoed. Now when the request is made, just like previous case, the PHPSESSID is passed in the cookie.
Now as mandated by php.net, that every page where sessions should be needed, a
session_start(); is required. So as soon this function is invoked, PHP checks if the browser’s request had any PHPSESSID cookie sent in the header, as it was sent in our case, PHP Engine will open /tmp/sess_32charid file (with the same session id) and unserialize the contents of the file. It then assigns the values of the unserialized data structures to the
echo $_SESSION['name']; will now be able to output the name!! Sessions working…
session_destroy();, PHP sends a destructive, previous timestamp cookie for PHPSESSID and unlinks or deletes the /tmp/sess_32charid file. This ensures that no reference of that session is left.