Chapter 10. Sessions

A fundamental characteristic of the Web is the stateless interaction between browsers and web servers. As discussed in Chapter 1, HTTP is a stateless protocol. Each HTTP request sent to a web server is independent of any other request. The stateless nature of HTTP allows users to browse the Web by following hypertext links and visiting pages in any order. HTTP also allows applications to distribute or even replicate content across multiple servers to balance the load generated by a high number of requests.

This stateless nature suits applications that allow users to browse or search collections of documents. However, applications that require complex user interaction can't be implemented as a series of unrelated, stateless web pages. An often-cited example is a shopping cart in which items are added to the cart while searching or browsing an on-line store. The state of the shopping cart (the selected items) needs to be stored somewhere to be displayed when the user visits the order page.

Stateful web database applications can be built using sessions, and session management is the topic of this chapter. In this chapter, we:

  • Discuss how sessions are managed in the stateless environment of the Web and introduce the three characteristics of server-side session management

  • Show you how to use the PHP session management library, and discuss design strategies for session-based applications

  • Use PHP session management to improve the phonebook entry form

  • Provide a brief list of reasons for using, or avoiding, session management over the Web

  • Provide details of the PHP session management API and configuration

There are two ways to build an application that keeps state: variables that hold the state can be stored in the browser and included with each request, or variables can be stored on the server. The focus of this chapter is storing variables on the server using PHP session management techniques. Storing variables on the client is usually a less attractive option: it requires additional network traffic, is insecure, and relies on the user's browser configuration.