1
00:00:00,000 --> 00:00:02,000
[PHP Sessions]

2
00:00:02,000 --> 00:00:04,000
[Tommy MacWilliam, Harvard University]

3
00:00:04,000 --> 00:00:07,000
[This is CS50.] [CS50.TV]

4
00:00:07,000 --> 00:00:10,920
Sessions in PHP can be used to implement functionality,

5
00:00:10,920 --> 00:00:13,440
like user logins, in your web app.

6
00:00:13,440 --> 00:00:16,920
PHP sessions allow you to associate information

7
00:00:16,920 --> 00:00:19,680
with the user's entire browsing session

8
00:00:19,680 --> 00:00:22,290
rather than simply a single page.

9
00:00:22,290 --> 00:00:27,330
So that means as the user visits various PHP pages that make up your website,

10
00:00:27,330 --> 00:00:30,630
any information in the session will persist.

11
00:00:30,630 --> 00:00:34,770
So that means that data stored in the session by one page

12
00:00:34,770 --> 00:00:37,580
can later be accessed by another page.

13
00:00:37,580 --> 00:00:40,080
Storing information in a session is easy,

14
00:00:40,080 --> 00:00:48,790
and we do so via the dollar sign, underscore, capital SESSION variable.

15
00:00:48,790 --> 00:00:52,620
Dollar sign, underscore, SESSION—just like dollar sign, underscore, GET

16
00:00:52,620 --> 00:00:54,710
and dollar sign, underscore, POST—

17
00:00:54,710 --> 00:00:58,690
is an associative array consisting of key value pairs.

18
00:00:58,690 --> 00:01:07,980
So we can use syntax—like dollar sign, underscore, SESSION,

19
00:01:07,980 --> 00:01:16,000
bracket, quote, foo, quote, bracket, equals, quote, bar, quote—

20
00:01:16,000 --> 00:01:20,440
to store the value "bar" in the key "foo."

21
00:01:20,440 --> 00:01:24,030
However, before we can write or read from the session array,

22
00:01:24,030 --> 00:01:26,770
we'll need to call a special function—

23
00:01:26,770 --> 00:01:34,690
session, underscore, start, ()—

24
00:01:34,690 --> 00:01:37,060
and this will initialize the session.

25
00:01:37,060 --> 00:01:39,850
So let's take a look at an example.

26
00:01:39,850 --> 00:01:46,570
Our first page, hello.php, uses the session to output some data to the user.

27
00:01:46,570 --> 00:01:53,920
Remember, we'll need to use session_start before we can access any session data.

28
00:01:53,920 --> 00:01:59,010
Now we're using PHP's isset to determine if a key exists 

29
00:01:59,010 --> 00:02:03,230
in the $_SESSION associative array.

30
00:02:03,230 --> 00:02:07,250
If that key exists, that means the user has logged in,

31
00:02:07,250 --> 00:02:10,410
so we'll display the user's name.

32
00:02:10,410 --> 00:02:14,110
If that key is not set, that means the user hasn't logged in yet,

33
00:02:14,110 --> 00:02:17,880
so we'll display a link to login.php.

34
00:02:17,880 --> 00:02:21,380
So let's take a look at login.php.

35
00:02:21,380 --> 00:02:26,260
Down here, we have a single HTML form with a single input.

36
00:02:26,260 --> 00:02:32,720
The form's action attribute is $_SERVER ['PHP_SELF'],

37
00:02:32,720 --> 00:02:37,440
and this simply means that we want the form to be submitted to the current file,

38
00:02:37,440 --> 00:02:41,040
which, in this case, is login.php.

39
00:02:41,040 --> 00:02:43,010
So let's go back to the top of this file.

40
00:02:43,010 --> 00:02:50,100
If the user submitted the form, then $_POST['name'] must be set.

41
00:02:50,100 --> 00:02:53,750
For more information about HTML forms and post,

42
00:02:53,750 --> 00:02:56,510
check out the PHP Web Development video.

43
00:02:56,510 --> 00:02:59,330
In the case that the user did submit the form,

44
00:02:59,330 --> 00:03:03,970
we'd like to write the value that they typed in into the session.

45
00:03:03,970 --> 00:03:08,540
Now we can redirect the user to hello.php.

46
00:03:08,540 --> 00:03:11,800
Because we've stored the user's input into the session,

47
00:03:11,800 --> 00:03:18,240
hello.php will be able to access the value that was set in login.php.

48
00:03:18,240 --> 00:03:21,010
So let's check this out in a web browser.

49
00:03:21,010 --> 00:03:27,520
First, we'll navigate to http://localhost/hello.php.

50
00:03:27,520 --> 00:03:30,220
We can see here that we haven't logged in yet,

51
00:03:30,220 --> 00:03:35,040
so let's click the login link, which will redirect us to login.php.

52
00:03:35,040 --> 00:03:41,760
Okay, I'll type in my name, which will then be stored in the session.

53
00:03:41,760 --> 00:03:48,950
Great! Now we can see my input from login.php on hello.php via the session.

54
00:03:48,950 --> 00:03:52,270
So, what about logging the user out?

55
00:03:52,270 --> 00:03:58,510
Well, in order to log the user in, we simply stored a value into session name.

56
00:03:58,510 --> 00:04:03,040
So to log the user out, we simply need to remove that name key

57
00:04:03,040 --> 00:04:05,040
from the session array.

58
00:04:05,040 --> 00:04:09,130
So let's take a look at this last file, logout.php.

59
00:04:09,130 --> 00:04:12,080
Once again, we'll need to call session_start()

60
00:04:12,080 --> 00:04:15,260
before we can do anything session related.

61
00:04:15,260 --> 00:04:19,240
Now we can simply call session_destroy(),

62
00:04:19,240 --> 00:04:22,460
which will take care of getting rid of all the data in the session

63
00:04:22,460 --> 00:04:26,790
and then redirect the user back to hello.php.

64
00:04:26,790 --> 00:04:30,700
So if I click on the Log out link,

65
00:04:30,700 --> 00:04:34,690
we can see that the server has forgotten who I am,

66
00:04:34,690 --> 00:04:36,970
and I am no longer logged in.

67
00:04:36,970 --> 00:04:39,910
So what's going on here underneath the hood?

68
00:04:39,910 --> 00:04:42,250
In order to get the behavior we just saw,

69
00:04:42,250 --> 00:04:44,760
our server needs to do 2 things.

70
00:04:44,760 --> 00:04:48,980
First, the server needs to somehow store the data in the session.

71
00:04:48,980 --> 00:04:51,910
The different PHP files that comprise a website

72
00:04:51,910 --> 00:04:56,500
are executed as separate invocations of the PHP interpreter

73
00:04:56,500 --> 00:05:00,550
so local variable cannot be shared between them.

74
00:05:00,550 --> 00:05:04,030
Instead, the server needs to store our session data

75
00:05:04,030 --> 00:05:08,440
in some place that multiple .php files can access.

76
00:05:08,440 --> 00:05:13,940
Second, the server needs to associate the session data with only my browsing session.

77
00:05:13,940 --> 00:05:15,940
When I login to Facebook,

78
00:05:15,940 --> 00:05:20,460
there are probably millions of other people also logged into Facebook at the same time.

79
00:05:20,460 --> 00:05:24,200
But the server needs some way of associating my data 

80
00:05:24,200 --> 00:05:28,340
with my current session and someone else's data with another session.

81
00:05:28,340 --> 00:05:32,380
Luckily, the authors of PHP thought about all of this for us,

82
00:05:32,380 --> 00:05:35,170
so we don't need to implement any of this ourselves.

83
00:05:35,170 --> 00:05:39,540
But let's take a look at what PHP does by default.

84
00:05:39,540 --> 00:05:44,070
When I visit a PHP page containing session_start for the first time,

85
00:05:44,070 --> 00:05:47,930
PHP will generate a large random value.

86
00:05:47,930 --> 00:05:53,970
Until session_destroy is called—or I don't visit any PHP pages on that site for a while—

87
00:05:53,970 --> 00:05:59,050
that random and probably unique value will be associated with me.

88
00:05:59,050 --> 00:06:02,780
That way the server has some way of identifying my browsing session

89
00:06:02,780 --> 00:06:05,710
as opposed to someone else's.

90
00:06:05,710 --> 00:06:08,780
We can take a look at the current session ID 

91
00:06:08,780 --> 00:06:12,380
using the PHP function, session_ID.

92
00:06:12,380 --> 00:06:17,250
Here we're simply outputting the value of our session identifier.

93
00:06:17,250 --> 00:06:20,580
So if we again login to the example web app,

94
00:06:20,580 --> 00:06:25,530
and now navigate to sessid.php,

95
00:06:25,530 --> 00:06:27,850
we'll see this long string of characters,

96
00:06:27,850 --> 00:06:31,180
and that's the current identifier for my session,

97
00:06:31,180 --> 00:06:35,410
and that's how the server is keeping track of who I am.

98
00:06:35,410 --> 00:06:37,670
Okay, but we've only solved half the problem.

99
00:06:37,670 --> 00:06:40,910
Sure, the server now has some way of identifying me,

100
00:06:40,910 --> 00:06:46,060
but when I visit another page, the server needs to reuse that same identifier

101
00:06:46,060 --> 00:06:48,910
rather than generating a new one.

102
00:06:48,910 --> 00:06:52,760
Remember, if I declare a local variable in foo.php

103
00:06:52,760 --> 00:06:55,190
and then visit bar.php, 

104
00:06:55,190 --> 00:07:00,980
bar.php has no way of knowing what happened in foo.php.

105
00:07:00,980 --> 00:07:07,450
So the default php session implementation requires that the browser remind the server

106
00:07:07,450 --> 00:07:09,740
which session ID to use.

107
00:07:09,740 --> 00:07:12,710
This is implemented in the form of a cookie.

108
00:07:12,710 --> 00:07:15,370
A cookie—in addition to being a delicious snack—

109
00:07:15,370 --> 00:07:18,630
is simply a small text file on your computer

110
00:07:18,630 --> 00:07:21,780
that a server can write to via the web browser.

111
00:07:21,780 --> 00:07:27,300
So after PHP generates my unique session ID via session_start,

112
00:07:27,300 --> 00:07:34,210
it's going to tell the web browser to store that identifier in a local text file, or a cookie.

113
00:07:34,210 --> 00:07:38,490
Then the web browser will include that identifier in every request 

114
00:07:38,490 --> 00:07:40,780
that it makes to the server.

115
00:07:40,780 --> 00:07:44,280
So really, the web server isn't remembering who I am.

116
00:07:44,280 --> 00:07:48,780
Instead, the web browser is simply remembering the unique identifier

117
00:07:48,780 --> 00:07:52,730
that was generated by PHP and then constantly reminding the server

118
00:07:52,730 --> 00:07:55,120
what that identifier is.

119
00:07:55,120 --> 00:08:00,760
That way, information like my user name is stored on the server not my web browser.

120
00:08:00,760 --> 00:08:05,190
The browser simply tells the server where PHP stored that information

121
00:08:05,190 --> 00:08:07,750
so PHP can retrieve it.

122
00:08:07,750 --> 00:08:12,150
So that begs the question, where is PHP actually storing this information?

123
00:08:12,150 --> 00:08:14,910
By default, PHP will store your session data 

124
00:08:14,910 --> 00:08:19,540
in a file inside of /tmp, or the 'temp' folder.

125
00:08:19,540 --> 00:08:24,450
The name of that file will include the session ID so PHP can determine

126
00:08:24,450 --> 00:08:28,620
which file to read and write from via only the session ID.

127
00:08:28,620 --> 00:08:32,280
All right. So let's open up the Network tab in Chrome's debugger 

128
00:08:32,280 --> 00:08:34,890
via the wrench icon at top right.

129
00:08:34,890 --> 00:08:38,409
Now let's head to hello.php again.

130
00:08:38,409 --> 00:08:42,270
Let's click on the HTTP request to hello.php

131
00:08:42,270 --> 00:08:44,680
and then click on Headers.

132
00:08:44,680 --> 00:08:50,390
Here we can see that the cookie header contains a key called PHPSESSID,

133
00:08:50,390 --> 00:08:55,980
or PHP session ID—with a value that is that same long string we saw

134
00:08:55,980 --> 00:08:59,290
when we visited sessid.php.

135
00:08:59,290 --> 00:09:04,660
This is exactly how the browser is reminding the server what session ID should be used.

136
00:09:04,660 --> 00:09:08,180
It's including it in an HTTP header.

137
00:09:08,180 --> 00:09:10,500
All right. Let's head back to the terminal.

138
00:09:10,500 --> 00:09:16,450
Let's navigate to /tmp, where PHP is storing the session information by default.

139
00:09:16,450 --> 00:09:19,160
Sure enough, inside of this temporary folder,

140
00:09:19,160 --> 00:09:23,550
here's a file that contains the same exact session ID.

141
00:09:23,550 --> 00:09:28,990
If we open up this file, we can see how PHP is representing my session on disk.

142
00:09:28,990 --> 00:09:32,870
Here the string "Tommy" is being stored for the key 'name,'

143
00:09:32,870 --> 00:09:35,750
which is exactly what we were expecting.

144
00:09:35,750 --> 00:09:38,850
And that's an overview of sessions in PHP.

145
00:09:38,850 --> 00:09:42,590
What we just saw was only the default implementation of sessions.

146
00:09:42,590 --> 00:09:45,600
In fact, many websites change this default behavior

147
00:09:45,600 --> 00:09:48,280
to store PHP sessions more efficiently

148
00:09:48,280 --> 00:09:50,390
in the interest of improving performance.

149
00:09:50,390 --> 00:09:52,800
My name is Tommy, and this is CS50.

150
00:09:52,800 --> 00:09:56,000
[CS50.TV]