32

I'm wondering about how the $_SESSION array works. If I have a lot of users using my site do I need to set a subarray for each user? For instance right now I have 

$_SESSION['userid'] = $userid;
$_SESSION['sessionid'] = $sessionid;
$_SESSION['ipaddress'] = $ipaddress;

but in order to cope with more users do I need to make a multidimensional array?

$_SESSION[$userid]['sessionid'] = $sessionid;
$_SESSION[$userid]['ipaddress'] = $ipaddress;

Is the $_SESSION global handled per client or just overall? Will having $_SESSION['userid'] set on login kick the previous user out and instate the latest logged in user?

Abraham Brookes
  • 1,720
  • 1
  • 17
  • 32
  • as far as i know, session is client side, which means stored in browser. not server side. in this case, it should be not a problem for having many users at the same time because session for each individual user will be created. – s3polz Aug 13 '12 at 09:26
  • 11
    @s3polz you are wrong. `$_SESSION` is stored server side. – loler Aug 13 '12 at 09:26
  • 3
    @s3polz you are confused by session identifier what is stored in browser-cookie to identify current session, could also be carried by URL. – Aurimas Ličkus Aug 13 '12 at 09:38
  • 1
    oops sorry for my wrong info. but the session still created separately for each user right? – s3polz Aug 13 '12 at 09:49

2 Answers2

56

No. There is a seperate $_SESSION created for each user. This is all done by the server, you don't have to worry about it. When writing your code, treat the $_SESSION as if there was only one user on the site.

Edit: Actually, on thinking about it, it is a very good question to ask. It is good to ask these sorts of questions, it means you are seriously thinking about how your code truly works. Keep asking these things, and keep testing. I have a feeling that one day you will be writing some amazing code.

So on that note, here is some info from the apache site:

What is a session?

At the core of the session interface is a table of key and value pairs that are made accessible across browser requests. These pairs can be set to any valid string, as needed by the application making use of the session.

Keeping sessions on the server

Apache can be configured to keep track of per user sessions stored on a particular server or group of servers. This functionality is similar to the sessions available in typical application servers.

If configured, sessions are tracked through the use of a session ID that is stored inside a cookie, or extracted from the parameters embedded within the URL query string, as found in a typical GET request.

And from the PHP docs on Sessions:

Session support in PHP consists of a way to preserve certain data across subsequent accesses. This enables you to build more customized applications and increase the appeal of your web site.

A visitor accessing your web site is assigned a unique id, the so-called session id. This is either stored in a cookie on the user side or is propagated in the URL.

The session support allows you to store data between requests in the $_SESSION superglobal array. When a visitor accesses your site, PHP will check automatically (if session.auto_start is set to 1) or on your request (explicitly through session_start() or implicitly through session_register()) whether a specific session id has been sent with the request. If this is the case, the prior saved environment is recreated.

Fluffeh
  • 33,228
  • 16
  • 67
  • 80
  • And for them who want to know where are `$_SESSION` data stored http://stackoverflow.com/questions/454635/where-are-session-variables-stored – loler Aug 13 '12 at 09:29
  • 3
    @Black_Stormy It is actually a fantastic and refreshing to see people wanting to understand their code and know how it is working on the inside rather than just hoping for the best. – Fluffeh Aug 13 '12 at 09:48
  • Well thanks for the pre-emptive compliment! EDIT: So the session_id() functions are kind of like the session subarray name for each user, `$_SESSION[session_id][userid]` but you never see it and don't have to deal with it. Thanks! – Abraham Brookes Aug 13 '12 at 09:49
  • 1
    @Black_Stormy If you think about it, it is more like there is an array like this: `[userID]->_SESSION[]` for each user. – Fluffeh Aug 13 '12 at 09:51
  • is there any way to maintain the all session details in a single page(ex:that file has to be synchronized with the session detail, if some session destroy or new session created it should replicate in that, I need that to list the user who all are loged to the web site currently) – Thirumalai murugan Mar 04 '13 at 06:14
  • @Thirumalaimurugan I always found the easiest way to list the current users was to have a table that updates their last activity each time a page loads - and simply query that table for activity in the last five or ten minutes as the "current users". This approach is FAR simpler than trying to do anything with a common file - or even worse shared memory. – Fluffeh Mar 04 '13 at 08:14
  • @Fluffeh you are correct but how could I trace the person who close the browser with out logout(still the value will be in table) even though we run the cron job for this problem how could we find the user closed the browser? – Thirumalai murugan Mar 04 '13 at 08:34
-2

well after searching alot and working on session i found my own way. i hope it works great for everyone here

this is the query for login page for my users: here i am storing email as session from input field after matching data from mysql

<?php
include_once("dbcon.php");
$que=mysqli_query($con,"select * from agents where companyemail='$email' AND 
pass='$password' AND post != 'Owner'"); 
$record = mysqli_fetch_assoc($que);
$_SESSION[$email]=$email;
header("Location:/dashboard/woresk/Dashboard_For_Agents/light/index.php? 
&loginid=$agentid");
?>

and then in the dashboard for users there is a logout option where i used this method 

<?php
session_start();
include_once("dbcon.php");
$sid=$_GET['loginid'];
$que=mysqli_query($con,"select * from agents where id='$sid'"); 
$recorde = mysqli_fetch_assoc($que);
$email=$recorde['companyemail'];
unset($_SESSION[$email]); 
header('location:/dashboard/woresk/index.php');
?>

and to avoid users to enter dashbboard if they are not login or thier session is not set following code works great for me

<?php
session_start();
include_once("dbcon.php");
$sid=$_GET['loginid'];
$que=mysqli_query($con,"select * from agents where id='$sid'"); 
$recorde = mysqli_fetch_assoc($que);
$email=$recorde['companyemail'];
if(isset($_SESSION[$email]) && isset($_SESSION['alllogout'])){

 }
 else if(!isset($_SESSION[$email])){
    echo 
    "<script>
      window.location.href='/dashboard/woresk/index.php'
    </script>";
  }
  else if (!isset($_SESSION['alllogout'])){
    echo 
    "<script>
      window.location.href='/dashboard/woresk/index.php'
    </script>";
  }
  ?>

i hope this works for others too. if any question please let me know

Tariq Ali
  • 1
  • 1
  • Hey man, you're using some very old sql stuff - you should not use `mysqli_fetch_assoc` - rather you should use the PDO class and prepared statements. read this: https://phpdelusions.net/pdo read it all. level up! – Abraham Brookes Sep 24 '19 at 05:15
  • This contains some SQL injection vulnerabilities, and should be avoided at all costs. – halfer Mar 01 '20 at 14:50