Posted by Mike P2 on 04/28/07 16:39

For clarity: sessions store variables that you want to stay the same
while each person browses your site, the variables are only the same
for the same person, each person has their own session, and when the
session expires (usually after 15 minutes of that person not doing
anything on your website, but that number can be changed in php.ini),
those variables are lost. You have to remember to call session_start()
before using session variables or sending any output to the browser if
you want to make use of the session on a page (it usually sends
cookies to the browser in headers so it can remember the session id
for that person). Sorry if you already know this, I just want to make
sure first.

You usually shouldn't need to worry about the server remembering the
session state, that should probably work without you changing
anything.

If you are on a shared hosting plan, plain sessions may be a security
risk. Session files are normally stored in a common folder that might
not protect your session data from being read by other websites on the
server (on purpose, don't worry about it mixing them up). If you are
running PHP as a CGI binary and can have your own php.ini, be sure
change session.save_path (which defaults to /tmp) to somewhere that
only you have access to (if PHP is running as a CGI binary and is
running as your user, you can change the permissions on a directory
you make in your own space to be extra save).

You can also use session_set_save_handler() to manage your session
data yourself. You can make functions (or a Session class with methods
for organization) that save the session data into files yourself, or
even to save the serialized session data into a database.
http://us.php.net/manual/en/function.session-set-save-handler.php

You can use sessions to improve your hit counter by saving a variable
when you count that user, so you can count more unique hits. For
example, you could do something like this:
<?php
session_start();
if( !isset( $_SESSION['hit_counted'] ) || !$_SESSION['hit_counted'] )
{
file_put_contents( 'hits.txt', (int)@file_get_contents( 'hits.txt' )
+ 1 );
$_SESSION['hit_counted'] = true;
}
?>

Note that for something older than PHP5, you would need to use
different file functions. Also, sessions will not store the count of
hits, you need a file or a database to do that. The above code will
create a hits.txt file if there is not one already. It is important to
remember that it will not count completely unique hits, but just count
once per session. If you want to try to make it completely unique, you
would not need sessions but cookies instead, or you could store IP
addresses in a database. You might as well try Google Analytics
(google.com/analytics) if you want serious traffic analysis (it's
free, and it's just a little JavaScript snippet that connects to
Google).

As for logins: yes, sessions are a good way to remember whether or not
someone is logged in and their user data if your session files are
secure.

-Mike PII

[Back to original message]