Best way to handle sessions?

Hey everyone

I'm new (read: 3 weeks in) with PHP and want to get a good grasp on session handling. I've read quite a bit in the PHP manual and found several tutorials...and they are all helpful, but at the same time confusing. Which is the best way? Or is it pertinent to the application?

I need sessions for the purposes of validating users based on a login to a section of a site...therefore I'd like to have most of my session handling code in an include. Right now, the setup I have works ok, and in plain language works like this:

• User logs in at index.php
• index.php submits username and password to login.php
• login.php verifies user against DB
• If user valid, session is started and registered (using an array, $mysession)
• $mysession contains username, password, realname, id, and SID.
• $SID is stuffed into a cookie ($HTTP_COOKIE_VARS['SID'])
• login.php reroutes valid users to list.php
• list.php AND all other pages 'behind the login' reference the include authorize.php
• authorize.php first checks the SID in the session versus the SID in the cookie
• If valid, then authorize.php validates the user data in the session against the DB.
• If valid, the page is displayed.
• When a user logs out, the cookie is deleted and the session destroyed.

Ok, whew. Now, what I'm confused on, is this. What is the difference between session variables I make manually ($mysession) and the global $HTTP_SESSION_VARS? And, if I'm using a flag to determine that the user is logged in (to prevent multiple logins), how do I reset that flag to 0 when the broswer is closed?

What's the difference between $PHPSESSID and $SID?

Ok, just a few more bits before I split. I'm currently on PHP 4.0.6, Red Hat 7.2, MySQL 3.23.51, Apache 1.3.22. However, we will be upgrading to PHP 4.2 later, and turing register_globals off so I will be using $_COOKIE or $_SESSION etc...

Thanks A TON!

What is SID? Is side the result of calling session_id()?

I have been placing with sessions today myself and many of the questions you ask are the same questions have.

You may want to check out http://www.devshed.com -- they have some PHP articles out there called "Vault" or something that is a document management system that requires login.

The article is pretty straight forward and should give you some insight on how they did it.

Well, I'd like some clarification on SID as well. I know that if you want to pass the session ID you can append it to a header call The result of doing this is one of two things:
1) if cookies are enabled, the session ID will be stored there ($HTTP_COOKIE_VARS['PHPSESSID'], or $_COOKIE['PHPSESSID'])
2) if cookies are disabled, it will show up in the URL as a GET variable (http://www.blah.com/page.php?PHPSESSID=SID string

I've also read on php.net that when you use the superglobal $_SESSION variable, then some of the session handling functions in PHP become unecessary (such as session_register()) Thus the basis of my confusion.

Note: Although adding .SID to the URL in the header makes it store as PHPSESSID, I have successfully tested and retrieved a value for $SID

Still looking for help on this one

Lots of pagesviews to this thread but only one reply? Help/advice anyone?

My server will be switing to PHP 4.1+ soon...

Thanks!