Usage of PHP session_id with account system

Question

So, I started to develop a website on my local server...

I wrote a Register/Login system with a MySQL database, in PHP. I know that i have to use sessions for it, but i dont really understand them.

If i just start a session without an ID, it will generate a random ID?
As I think, I should generate the ID and start the session after the SQL checking (pw and username) but before it throws the user to the next page. Am I right?
Once I generate it as I mentioned in those questions, Should I store it in a SQL table or something?
Will they die automatically or I have to kill them somehow? (except the manual logout page by the user click) I've read somewhere that they will die by the time, but as I think I have to set it up somehow.
Where are they??? (I know, this is a highly retarded question) They are in the client or the server?

Yeah... I know, I should do something else... Well, I just need a source where they are documented for this kind of usage, or a description like this: Generate -> store -> check every time when the page changes -> they will kill themself automatically.

1. yes, 2.let php do it for you 3.do you need to? 4.yes, they have time limits, 5.on your server. https://devzone.zend.com/16/php-101-part-10-a-session-in-the-cookie-jar/ — , Jun 30 '16 at 21:50
as your new to SO know that this is going to be closed as its to broad, check the help center for how to ask. — , Jun 30 '16 at 22:01
Part 1) Session id's are randomly generated, you don't need to worry about their IDs. You reference Session data as an array of values that can be passed from page to page. — Martin, Jun 30 '16 at 22:02
See [The Definitive Guide to Form-Based Website Authentication](http://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication). It's quite comprehensive. — showdev, Jun 30 '16 at 22:03
Part 2) That choice is yours, in time, experience will guide you. — Martin, Jun 30 '16 at 22:03
Part 3) No, the session data is stored in a file on the filesystem, referenced by the session id. Again, you do not need to worry about this. Let PHP worry. — Martin, Jun 30 '16 at 22:03
Part 4) You can manually kill sessions with `unset` and you should be aware that sessions will die when a time value has elapsed (30 mins or so) or when the browser the session is associated with is closed. — Martin, Jun 30 '16 at 22:04
Part 5) Sessions are stored in the file system, usually under the `/tmp` directory . It is wise to give them a custom directory home but its another aspect that you can leave well alone until you're more experienced with them. — Martin, Jun 30 '16 at 22:05
Thank you so much everyone, I've been smarter by 5 minutes of reading the comments than 2 hours searching. I know this is not the typical form of a question here, but this question was my first and hopefully the last aswell. — Greg, Jun 30 '16 at 22:26

score 1 · Accepted Answer · answered Jun 30 '16 at 21:55

Basically, you start the session on every page. The session is initialised on the first page the user visits. A session ID is generated whenever the session is initialised, so having a session ID as a login identifier is no good. The session itself, like all PHP code, is processed server-side.

So every page should have session_start() at the very top.

The thing you want to do is store session variables, for example $_SESSION['username'], and check whether the user is logged in or not with something in the trend of if(!empty($_SESSION['username'])

Session die whenever you call 'session_abort()' or the browser is closed. You can also call session_set_cookie_params(3600,"/"); or something similar for a session duration (before session_start();), where the 3600 is the number of seconds the session is active.

So one simple solution could be:

session.php

session_start();
if(!empty($_SESSION['username') {
  echo "Hello";
} else {
  echo $loginform;
}

randompage.php

include "session.php";

Usage of PHP session_id with account system

1 Answers1