Unit 8: Remembering Users with Cookies and Sessions

4th semester

Sessions and cookies are the global storages used to store data to be persistently available all over the site. These globals can be accessed from anywhere. In PHP, there are predefined global array variables $_SESSION and $_COOKIES to contain session and cookies data, respectively. Sessions are stored in the server and the cookies are preserved only at the client side browser level.

PHP Sessions

A session is a way to store information (in the form of variables) to be used across multiple pages.
The PHP session variable is used to store information about, or change settings for a user session. Session variables hold information about one single user, and are available to all pages in one application.

Working with Session

In this section, we are going to see the following to work with PHP sessions. These are,

  • Starting session
  • Storing session variable
  • Accessing session variable
  • Clearing session variable

Starting with PHP session
For starting a php session use the builtin function session_start(). This function is used in the between the php tags, as follow:

Save it as session1.php
Output of the above script
To run the code Open the XAMPP server an start the services like Apache and MySQL. Open the browser and type: http://localhost/yourfoldername/session.php
PHP Session Start Syntax

Storing Session Variable

The $_SESSION array is used to create a session variable

Save it as session2.php
Output of above script
To run the code, Open the XAMPP or wamp server and start the services like Apache and MySQL. Open the browser type: http://localhost/yourfoldername/session2.php
Storing a session variable in php

Retrieving A Session Variable

To retrieve session variables first start session environment.
save it retrieveSession.php

Clearing Session Variable

PHP provides functions to clear existing session data. Those are, session_destroy()session_unset() and more.
The session_destroy() function is used to clear all the current session data. After destroying the session, we have to reload the page to see that the session is cleared.
To make the session_destroy() action to show immediate effect, we can call session_unset() or unset() function to clear session data. Code shows an example to clear session variable.



A cookie is a text file saved to a user’s system by a Web site. This file contains information that the site can retrieve on the user’s next visit, thereby allowing the site to “recognize” the user and provide an enhanced set of features customized to that specific user.

Cookie Have Some Important Security Features :

  • A cookie can only be read by the Web site or domain that created it.
  • A single domain cannot set more than 20 cookies.
  • A single cookie cannot exceed 4 kilobytes in size.
  • The maximum number of cookies that may be set on a user’s system is 300.


Set Cookie In PHP

The setcookie( ) function is used to set a cookie.
Note : The setcookie( ) function must use BEFORE the <html> tag.

In the given example, create a cookie named “cookie_user” and assign the value “abhi” to it. We also specify that the cookie should expire after one hour.

Explain : In the example above cookie_name variale creates and assign value inside variable is “arbind” which work for 1 hour.

Accessing cookies

PHP cookies can be accessed by using $_COOKIE variable. Also, we can use the other superglobals like $_SERVER, $_ENV and PHP getenv() function to access cookies by specifying HTTP_COOKIE index as shown in the code below. But, $_COOKIE has the guaranteed access in all the server compare to the other global variables. Because some server configuration will not allow us access $_SERVER, $_ENV variables.


Destroying the cookies

To destroy the cookie, simply use setcookie again, only set the expiration date to be in the past. Here is an example:


Cookies Sessions
Cookies are stored in browser as text file format. Sessions are stored in server side.
It is stored limit amount of data. It is stored unlimited amount of data
It is only allowing 4kb[4096bytes]. It is holding the multiple variable in sessions.
It is not holding the multiple variable in cookies. It is holding the multiple variable in sessions.
we can accessing the cookies values in easily. So it is less secure. we cannot accessing the session values in easily.So it is more secure.
setting the cookie time to expire the cookie. using session_destory(), we we will destroyed the sessions.
The setcookie() function must appear BEFORE the <html> tag. The session_start() function must be the very first thing in your document. Before any HTML tags.