Before you get started with this chapter, you may have to make
a couple of minor changes to your php.ini file so
that sessions work correctly.
On Windows
If you are using a Windows version of PHP, the first thing you
need to do is to edit your php.ini file. The
default session setting in php.ini will not work
correctly under Windows.
Open your php.ini file, which is
found in c:\windows or c:\winnt, in a text editor and search for the line:
session.save_path = /tmp
Change it to a directory in which you keep temporary files, for
example:
session.save_path = C:/temp
You could also leave the value as /tmp and create a directory
named "tmp" at the root of the drive on which your Web server resides. For
example, if your Web server was located in D:/apache/bin, then you could create
the directory d:/tmp and you would not have to change the session.save_path
setting in php.ini.
A good indication that the session.save_path has not been set
correctly on Windows is if Apache crashes when you try to load a session-enabled
page.
On Linux
If you are using Linux, you need to make sure that your /tmp
directory can be written to by the user who runs the Web processes. Typically
this is the user nobody, and most systems, by default, allow the nobody user to
write to the /tmp directory.
The rest of the default session settings should work fine for
you in the examples in this chapter.
General Considerations
You should not store the session files in any directory which
is viewable from your Web server. If you are using Apache, then that would be
any directory under the htdocs directory. The reason you do not want to place
session files in a directory that is viewable from your Web server is because
malicious users may be able to open those files and view individual session
data, and even hijack user's sessions in this manner.
You cannot track variables across a user session unless you
start the session on each page on which you want to use or alter those
variables. Starting a session uses the session_start() function:
session_start();
session_start() takes no arguments. If you are starting a new
session, then the function initializes the session and creates the necessary
temp files to track the session. If a $PHPSESSID is found by the function,
either by a cookie or a GET variable, then the function resumes the current
session and the page has access to any variables that have been registered to
the session.
Once you have started the session, you need to register some
variables with it. The session will not track variables until they have been
registered using the session_register() function:
session_register(STRING);
The STRING argument to session_register() should be the name of
the variable that you want to register with the session so that it may be
accessed across any session-enabled pages.
Once you have started the session and registered one or more
variables, you can use those variables across any session enabled pages on your
site. , session.php, provides
a simple example of starting a session and registering a variable.