PHP's real SESSION object

Question

EDIT: (UPDATED)

Maybe my question was not clear enough. Ok, lets put it this way:

$arr["a"] = 10; 
var_dump($arr);
$arr["b"] =& $arr["a"];
var_dump($arr);

the first var_dump returns:

array
  'a' => int 10

While the second one returns:

array
  'a' => &int 10
  'b' => &int 10

If I unset($arr["a"]) it will return:

array
  'b' => int 10

The rule is, when 2 or more variables "points" to the same content var_dump will display the reference with an ampersand character (&).

In the case of $_SESSION, even with register_long_arrays = Off $_SESSION still shows a reference. So it is obvious that other variable is also pointing to the same content.

In other words, if I unset($_SESSION) there is still other variable somewhere that can be linked to. In the above example, when I unset($arr["a"]) I can still recover that content if I create a link, something like: $arr["z"] =& $arr["b"].

So, my original question was, does anyone know WHICH is that other variable? It is very probable that such variable do not exists... but I was wondering why inside PHP shows that reference.

Thank you

---

(Original question:)

When you create a session in PHP, for example:

session_start();
$_SESSION["name"] = "my name";

and dump the GLOBAL variables with:

var_dump($GLOBALS);

you will see something like:

  'HTTP_SESSION_VARS' => &
    array
      'name' => string 'my name' (length=7)
  '_SESSION' => &
    array
      'name' => string 'my name' (length=7)
  'HTTP_SERVER_VARS' => 
    array
      ...

As you can see, both variables $GLOBAL[HTTP_SESSION_VARS] and $_SESSION are references to other object's content... Do anyone knows which is that object?

In theory, if I unset both variables, somehow It must be possible to access that content... any clue?

Thank you!

Answer 1

Isn't HTTP_SESSION_VARS for backward compatibility?

Answer 2

$HTTP_SESSION_VARS is the old, deprecated, name for $_SESSION -- you should not use that anymore.

Those $HTTP_*_VARS variables are not necessarily set : they will only be if the register_long_arrays configuration directive is enabled -- and, with recent versions of PHP (i.e. PHP 5.3), it has been deprecated.

For instance, on my server, which is running PHP 5.3.2, the portion of code that you gave :

session_start();
$_SESSION["name"] = "my name";
var_dump($GLOBALS);

Only outputs (after a couple of refresh, which explains the presence of the PHPSESSID cookie) :

array
  'GLOBALS' => 
    &array
  '_POST' => 
    array
      empty
  '_GET' => 
    array
      empty
  '_COOKIE' => 
    array
      'PHPSESSID' => string 'fnlujfapqg7kdk1ocve6ndb282' (length=26)
  '_FILES' => 
    array
      empty
  '_SESSION' => &
    array
      'name' => string 'my name' (length=7)

No trace of any $HTTP_*_VARS variable : the register_long_arrays configuration directive is disabled.

Answer 3

Well, in PHP 5 $HTTP_SESSION_VARS is kept for compatibility reasons only. You are strongly encouraged to use $_SESSION instead. From the PHP manual:

$HTTP_SESSION_VARS contains the same initial information, but is not a superglobal. (Note > that $HTTP_SESSION_VARS and $_SESSION are different variables and that PHP handles them as such)

EDIT
You say you "already know that"!? What's your question then? $_SESSION is NOT an object, after all, it's an ARRAY, a superglobal variable. No methods, no members. You can access it's values like you would with any other array: $_SESSION['key'].

You could write your own Session class that wraps around PHP's session management. Use the session_set_save_handler method to bypass the built in session management and implement your own logic.

Regards.

Answer 4

It's an array of data that is stored in the session file, which is an actual temporary file stored on the server. Like both of them point to, it's an array, there is no 'Session' object. Those values are filled in when you run session_start which basically loads the data from the file based on the PHPSESSID cookie for that user.