PHP 5.6.29 Released

session_start

(PHP 4, PHP 5, PHP 7)

session_start启动新会话或者重用现有会话

说明

bool session_start ([ array $options = [] ] )

session_start() 会创建新会话或者重用现有会话。 如果通过 GET 或者 POST 方式,或者使用 cookie 提交了会话 ID, 则会重用现有会话。

当会话自动开始或者通过 session_start() 手动开始的时候, PHP 内部会调用会话管理器的 open 和 read 回调函数。 会话管理器可能是 PHP 默认的, 也可能是扩展提供的(SQLite 或者 Memcached 扩展), 也可能是通过 session_set_save_handler() 设定的用户自定义会话管理器。 通过 read 回调函数返回的现有会话数据(使用特殊的序列化格式存储), PHP 会自动反序列化数据并且填充 $_SESSION 超级全局变量。

要想使用命名会话,请在调用 session_start() 函数 之前调用 session_name() 函数。

如果启用了 session.use_trans_sid 选项, session_start() 函数会注册一个内部输出管理器, 该输出管理器完成 URL 重写的工作。

如果用户联合使用 ob_start()ob_gzhandler 函数, 那么函数的调用顺序会影响输出结果。 例如,必须在开始会话之前调用 ob_gzhandler 函数完成注册。

参数

options

此参数是一个关联数组,如果提供,那么会用其中的项目覆盖 会话配置指示 中的配置项。此数组中的键无需包含 session. 前缀。

除了常规的会话配置指示项, 还可以在此数组中包含 read_and_close 选项。如果将此选项的值设置为 TRUE, 那么会话文件会在读取完毕之后马上关闭, 因此,可以在会话数据没有变动的时候,避免不必要的文件锁。

返回值

成功开始会话返回 TRUE ,反之返回 FALSE

更新日志

版本 说明
7.0.0 新加 options 参数。
5.3.0 如果函数调用失败返回 FALSE, 之前版本返回了 TRUE
4.3.3 在 PHP 4.3.3 中, 会话开始之后调用 session_start() 函数 会引发 E_NOTICE 级别的错误, 并且第二次请求开始会话的调用会被忽略。

范例

基本的会话示例

Example #1 page1.php

<?php
// page1.php

session_start();

echo 
'Welcome to page #1';

$_SESSION['favcolor'] = 'green';
$_SESSION['animal']   = 'cat';
$_SESSION['time']     = time();

// 如果使用 cookie 方式传送会话 ID
echo '<br /><a href="page2.php">page 2</a>';

// 如果不是使用 cookie 方式传送会话 ID,则使用 URL 改写的方式传送会话 ID
echo '<br /><a href="page2.php?' SID '">page 2</a>';
?>

请求 page1.php 页面之后, 第二个页面 page2.php 会包含会话数据。 请查阅 会话参考 获取更多关于 会话 ID 传送的信息, 在该参考页面中有关于常量 SID 的详细说明。

Example #2 page2.php

<?php
// page2.php

session_start();

echo 
'Welcome to page #2<br />';

echo 
$_SESSION['favcolor']; // green
echo $_SESSION['animal'];   // cat
echo date('Y m d H:i:s'$_SESSION['time']);

// 类似 page1.php 中的代码,你可能需要在这里处理使用 SID 的场景
echo '<br /><a href="page1.php">page 1</a>';
?>

调用 session_start() 的时候指定选项

Example #3 覆盖 Cookie 超时时间设定

<?php
// 设置 cookie 的有效时间为 1 天
session_start([
    
'cookie_lifetime' => 86400,
]);
?>

Example #4 读取会话之后立即关闭会话存储文件

<?php
// 如果确定不修改会话中的数据,
// 我们可以在会话文件读取完毕之后立即关闭它
// 来避免由于给会话文件加锁导致其他页面阻塞
session_start([
    
'cookie_lifetime' => 86400,
    
'read_and_close'  => true,
]);

注释

Note:

要使用基于 cookie 的会话, 必须在输出开始之前调用 session_start() 函数。

Note:

建议使用 zlib.output_compression 来替代 ob_gzhandler()

Note:

根据配置不同,本函数会发送几个 HTTP 响应头。 参考 session_cache_limiter() 来自定义 HTTP 响应头。

参见

add a note add a note

User Contributed Notes 35 notes

up
26
linblow at hotmail dot fr
5 years ago
If you want to handle sessions with a class, I wrote this little class:

<?php

/*
    Use the static method getInstance to get the object.
*/

class Session
{
    const
SESSION_STARTED = TRUE;
    const
SESSION_NOT_STARTED = FALSE;
   
   
// The state of the session
   
private $sessionState = self::SESSION_NOT_STARTED;
   
   
// THE only instance of the class
   
private static $instance;
   
   
    private function
__construct() {}
   
   
   
/**
    *    Returns THE instance of 'Session'.
    *    The session is automatically initialized if it wasn't.
    *   
    *    @return    object
    **/
   
   
public static function getInstance()
    {
        if ( !isset(
self::$instance))
        {
           
self::$instance = new self;
        }
       
       
self::$instance->startSession();
       
        return
self::$instance;
    }
   
   
   
/**
    *    (Re)starts the session.
    *   
    *    @return    bool    TRUE if the session has been initialized, else FALSE.
    **/
   
   
public function startSession()
    {
        if (
$this->sessionState == self::SESSION_NOT_STARTED )
        {
           
$this->sessionState = session_start();
        }
       
        return
$this->sessionState;
    }
   
   
   
/**
    *    Stores datas in the session.
    *    Example: $instance->foo = 'bar';
    *   
    *    @param    name    Name of the datas.
    *    @param    value    Your datas.
    *    @return    void
    **/
   
   
public function __set( $name , $value )
    {
       
$_SESSION[$name] = $value;
    }
   
   
   
/**
    *    Gets datas from the session.
    *    Example: echo $instance->foo;
    *   
    *    @param    name    Name of the datas to get.
    *    @return    mixed    Datas stored in session.
    **/
   
   
public function __get( $name )
    {
        if ( isset(
$_SESSION[$name]))
        {
            return
$_SESSION[$name];
        }
    }
   
   
    public function
__isset( $name )
    {
        return isset(
$_SESSION[$name]);
    }
   
   
    public function
__unset( $name )
    {
        unset(
$_SESSION[$name] );
    }
   
   
   
/**
    *    Destroys the current session.
    *   
    *    @return    bool    TRUE is session has been deleted, else FALSE.
    **/
   
   
public function destroy()
    {
        if (
$this->sessionState == self::SESSION_STARTED )
        {
           
$this->sessionState = !session_destroy();
            unset(
$_SESSION );
           
            return !
$this->sessionState;
        }
       
        return
FALSE;
    }
}

/*
    Examples:
*/

// We get the instance
$data = Session::getInstance();

// Let's store datas in the session
$data->nickname = 'Someone';
$data->age = 18;

// Let's display datas
printf( '<p>My name is %s and I\'m %d years old.</p>' , $data->nickname , $data->age );

/*
    It will display:
   
    Array
    (
        [nickname] => Someone
        [age] => 18
    )
*/

printf( '<pre>%s</pre>' , print_r( $_SESSION , TRUE ));

// TRUE
var_dump( isset( $data->nickname ));

// We destroy the session
$data->destroy();

// FALSE
var_dump( isset( $data->nickname ));

?>

I prefer using this class instead of using directly the array $_SESSION.
up
6
erm[at]the[dash]erm[dot]com
11 years ago
If you are insane like me, and want to start a session from the cli so other scripts can access the same information.

I don't know how reliable this is.  The most obvious use I can see is setting pids.

// temp.php

#!/usr/bin/php -q
<?php

session_id
("temp");
session_start();

if (
$_SESSION) {
   
print_r ($_SESSION);
}

$_SESSION['test'] = "this is a test if sessions are usable inside scripts";

?>

// Temp 2

#!/usr/bin/php -q
<?php

session_id
("temp");
session_start();

   
print_r ($_SESSION);

?>
up
5
emre@yazici
7 years ago
PHP Manual specifically denotes this common mistake:

Depending on the session handler, not all characters are allowed within the session id. For example, the file session handler only allows characters in the range a-z A-Z 0-9 , (comma) and - (minus)!

See session_id() manual page for more details.
up
20
someOne_01 at somewhere dot com
4 years ago
When you have an import script that takes long to execute, the browser seem to lock up and you cannot access the website anymore. this is because a request is reading and locking the session file to prevent corruption.

you can either
- use a different session handler with session_set_save_handler()
- use session_write_close() in the import script as soon you don't need session anymore (best moment is just before the long during part takes place), you can session_start when ever you want and as many times you like if your import script requires session variables changed.

example
<?php
session_start
(); //initiate / open session
$_SESSION['count'] = 0; // store something in the session
session_write_close(); //now close it,
# from here every other script can be run (and makes it seem like multitasking)
for($i=0; $i<=100; $i++){ //do 100 cycles
   
session_start(); //open the session again for editing a variable
   
$_SESSION['count'] += 1; //change variable
   
session_write_close(); //now close the session again!
   
sleep(2); //every cycle sleep two seconds, or do a heavy task
}
?>
up
3
andy_isherwood at hotmail dot com
8 years ago
A session created with session_start will only be available to pages within the directory tree of the page that first created it.

i.e. If the page that first creates the session is /dir1/dir2/index.php and the user then goes to any page above dir2 (e.g. /dir1/index.php), session_start will create a new session rather than use the existing one.
up
4
fabmlk at hotmail dot com
11 months ago
If you ever need to open multiple distinct sessions in the same script and still let PHP generate session ids for you, here is a simple function I came up with (PHP default session handler is assumed):

<?php
/**
  * Switch to or transparently create session with name $name.
  * It can easily be expanded to manage different sessions lifetime.
  */
function session_switch($name = "PHPSESSID") {
        static
$created_sessions = array();

        if (
session_id() != '') { // if a session is currently opened, close it
           
session_write_close();
        }
       
session_name($name);
        if (isset(
$_COOKIE[$name])) {    // if a specific session already exists, merge with $created_sessions
           
$created_sessions[$name] = $_COOKIE[$name];
        }
        if (isset(
$created_sessions[$name])) { // if existing session, impersonate it
           
session_id($created_sessions[$name]);
           
session_start();
        } else {
// create new session
           
session_start();
           
$_SESSION = array(); // empty content before duplicating session file
                        // duplicate last session file with new id and current $_SESSION content
                        // If this is the first created session, there is nothing to duplicate from and passing true as argument will take care of "creating" only one session file
           
session_regenerate_id(empty($created_sessions));
           
$created_sessions[$name] = session_id();
        }
}

session_switch("SESSION1");
$_SESSION["key"] = "value1"; // specific to session 1
session_switch("SESSION2");
$_SESSION["key"] = "value2"; // specific to session 2
session_switch("SESSION1");
// back to session 1
// ...
?>

When using this function, session_start() should not be called on its own anymore (can be replaced with a call to session_switch() without argument).
Also remember that session_start() sets a Set-Cookie HTTP header on each call, so if you echo in-between sessions, wrap with ouput buffering.

Note: it's probably rarely a good idea to handle multiple sessions so think again if you think you have a good use for it.
Personally it played its role for some quick patching of legacy code I had to maintain.
up
2
ohcc at 163 dot com
2 years ago
The constant SID would always be '' (an empty string) if directive session.use_trans_sid in php ini file is set to 0.

So remember to set session.use_trans_sid to 1 and restart your server before you use SID in your php script.
up
11
dave1010 at gmail dot com
5 years ago
PHP locks the session file until it is closed. If you have 2 scripts using the same session (i.e. from the same user) then the 2nd script will not finish its call to session_start() until the first script finishes execution.

If you have scripts that run for more than a second and users may be making more than 1 request at a time then it is worth calling session_write_close() as soon as you've finished writing session data.

<?php
// a lock is places on the session, so other scripts will have to wait
session_start();

// do all your writing to $_SESSION
$_SESSION['a'] = 1;

// $_SESSION can still be read, but writing will not update the session.
// the lock is removed and other scripts can now read the session
session_write_close();

do_something_slow();
?>

Found this out from http://konrness.com/php5/how-to-prevent-blocking-php-requests/
up
3
sanjuro at 1up-games dot com
5 years ago
The problem with SID is that if on occasions you don't start a session, instead of outputting an empty string for transparent integration it will return the regular undefined constant notice. So you might want to test the constant with defined() beforehand.
up
7
elitescripts2000 at yahoo dot com
2 years ago
3 easy but vital things about Sessions in AJAX Apps.

<?php
// session start

//  It is VERY important to include a Period if using
// a whole domain.  (.yourdomain.com)
// It is VERY important to set the root path your session will always
// operate in... (/members) will ensure sessions will NOT be interfered
// with a session with a path of say (/admin) ... so you can log in
// as /admin and as /members... NEVER do unset($_SESSION)
// $_SESSION=array(); is preferred, session_unset();  session_destroy();

session_set_cookie_params(0, '/members', '.yourdomain.com', 0, 1);
session_start();
$_SESSION = array();
session_unset();
session_destroy();

session_set_cookie_params(0, '/members', '.yourdomain.com', 0, 1);
session_start();

$_SESSION['whatever'] = 'youwhat';

// session destroying

// To be safe, clear out your $_SESSION array
// Next, what most people do NOT do is delete the session cookie!
// It is easy to delete a cookie by expiring it long before the current time.
// The ONLY WAY to delete a cookie, is to make sure ALL parameters match the
// cookie to be deleted...which is easy to get those params with
// session_get_cookie_params()...
// FInally, use  session_unset(); and session_destroy(); in this order to ensure
// Chrome, IE, Firefox and others, are properly destroying the session.
$_SESSION = array();
if (
ini_get('session.use_cookies'))
{
   
$p = session_get_cookie_params();
   
setcookie(session_name(), '', time() - 31536000, $p['path'], $p['domain'], $p['secure'], $p['httponly']);
}
session_unset();
session_destroy();

// AJAX and SESSIONS.
// Example... you start a session based PHP page, which then calls an Ajax (XMLHTTP) authenticated
// using the SAME SESSION to Poll and output the data, for example.  But, you notice when you
// try to start the Polling AJAX call always HANGS and seems to hang at the session_start().
// This is because the session is opened in the first page, calls the AJAX polling example, and
// tries to open the same session (for authentication) and do the AJAX call, you MUST call
// session_write_close(); meaning you are done writing to the $_SESSION variable, which really
// represents a file that must be CLOSED with session_write_close();....
// THAN you can call your AJAX Polling code to reopen the same session and do its polling...
// Normally, the $_SESSION is closed automatically when the script is closed or finished executing
// So, if you need to keep a PHP page running after opening a SESSION, simply close it when finished
// writing to $_SESSION so the AJAX polling page can authenticate and use the same session in a
// seperate web page...

session_write_close();

?>

Hope this helps someone with their sessions...
Thanks.
up
1
aaronw at catalyst dot net dot nz
1 year ago
As others have noted, PHP's session handler is blocking. When one of your scripts calls session_start(), any other script that also calls session_start() with the same session ID will sleep until the first script closes the session.

A common workaround to this is call session_start() and session_write_close() each time you want to update the session.

The problem with this, is that each time you call session_start(), PHP prints a duplicate copy of the session cookie to the HTTP response header. Do this enough times (as you might do in a long-running script), and the response header can get so large that it causes web servers & browsers to crash or reject your response as malformed.

This error has been reported to PHP HQ, but they've marked it "Won't fix" because they say you're not supposed to open and close the session during a single script like this. https://bugs.php.net/bug.php?id=31455

As a workaround, I've written a function that uses headers_list() and header_remove() to clear out the duplicate cookies. It's interesting to note that even on requests when PHP sends duplicate session cookies, headers_list() still only lists one copy of the session cookie. Nonetheless, calling header_remove() removes all the duplicate copies.

<?php
/**
* Every time you call session_start(), PHP adds another
* identical session cookie to the response header. Do this
* enough times, and your response header becomes big enough
* to choke the web server.
*
* This method clears out the duplicate session cookies. You can
* call it after each time you've called session_start(), or call it
* just before you send your headers.
*/
function clear_duplicate_cookies() {
   
// If headers have already been sent, there's nothing we can do
   
if (headers_sent()) {
        return;
    }

   
$cookies = array();
    foreach (
headers_list() as $header) {
       
// Identify cookie headers
       
if (strpos($header, 'Set-Cookie:') === 0) {
           
$cookies[] = $header;
        }
    }
   
// Removes all cookie headers, including duplicates
   
header_remove('Set-Cookie');

   
// Restore one copy of each cookie
   
foreach(array_unique($cookies) as $cookie) {
       
header($cookie, false);
    }
}
?>
up
1
ilnomedellaccount at gmail dot com
3 years ago
A note about session_start(), custom handlers and database foreign key constraints, which I think may be of some use...

We know that if we want our sessions into a database table (rather than the default storage), we can refer to session_set_save_handler(...) to get them there. Note that session_set_save_handler must (obviously) be called before session_start(), but let me get to the point...

Upon calling session_start() the "first time", when the session does not already exist, php will spawn a new session but will not call the write handler until script execution finishes.

Thus, the session at this point exists in the server process memory, but won't be visible as a row in the DB before the script ends.

This seems reasonable, because this avoids some unnecessary database access and resource usage before we even populate our session with meaningfull and definitive data, but this also has side-effects.

In my case, the script called session_start() to make sure a session was initiated, then used session_id() to populate another table in the DB, which had foreign_key constraint to the "sessions" table. This failed because no session was in the db at that point, yet!

I know I could simply force the creation of the row in the DB by manually calling the write handler after session_start(), when necessary, but I am not sure if this is the best possible approach.

As soon as I find an "elegant" solution, or a completely different approach, I will post some working sample code.

In the meanwhile... have fun!
up
1
jamestrowbridge at gmail dot com
6 years ago
Unfortunately, after pulling my hair out trying to figure out why my application was working fine in every browser other than IE ( Internet Explorer) (Opera, Chrome, Firefox, Safari are what I've tested this in) - when using a DNS CNAME record (like a vanity name that is different from the DNS A record, which is the hostname of the server) sessions do not work correctly.

If you store a session var while on the CNAME:
vanity.example.com and the hostname of the server is hosname.example.com
Then try to call the variable from a different page, it will not find it because of the CNAME (I guess it store the variable under the hostname, then when trying to read it it's still looking under the CNAME) the same application works fine when accessing it under the hostname directly.  Keep in mind that I was testing this on an internal network.
up
1
dstuff at brainsware dot org
7 years ago
It seems like spaces in the name don't work either - got a new session id generated each time
up
1
Dark Angel
5 years ago
I had script which should under CLI restore session set by web interface.

Spent like few hours understanding why script with session_id($sid) and session_start() is not restoring session, but generating new one. No any notices or anything helping to resolve.

$sid was read from STDIN. Issue was that value from STDIN contained '\n' character at the end, which is invalid for session identifier. Discovered by stracing CLI script.

Hope this will save you a lot of time.
up
1
info at nospam dot mmfilm dot sk
6 years ago
For those of you running in problems with UTF-8 encoded files:

I was getting an error because of the BOM, although i set Dreamweaver to "save as" the without the BOM. It appears that DW will not change this setting in already existing files. After creating a new file withou the BOM, everything worked well.

I also recommend http://people.w3.org/rishida/utils/bomtester/index.php - a utility that remote checks for the presence of BOM.
up
1
anon at ymous dot com
5 years ago
I am trying to get a session created by a browser call to be used by a command line cli->curl php call (in this case, both calls to the same server and php.ini), for a set of flexible media import routines,

but the cli->curl call always starts a new session despite me putting PHPSESSID=validID as the first parameter for the url called by curl.

I was able to fix it by calling session_id($_GET['PHPSESSID']) before calling session_start() in the script called via curl.
up
0
Anonymous
3 years ago
In the Classes and Objects docs, there is this: In order to be able to unserialize() an object, the class of that object needs to be defined.

An object made by SimpleXML_Load_String() cannot be serialized.  An attempt to do so will result in a run-time failure, throwing an exception.  If you store such an object in $_SESSION, you will get a post-execution error that says this:

Fatal error: Uncaught exception 'Exception' with message 'Serialization of 'SimpleXMLElement' is not allowed' in [no active file]:0 Stack trace: #0 {main} thrown in [no active file] on line 0

The entire contents of the session will be lost.  This script demonstrates the failure.  Hope this saves someone some time!

<?php // RAY_temp_ser.php
error_reporting(E_ALL);
session_start();
var_dump($_SESSION);
$_SESSION['hello'] = 'World';
var_dump($_SESSION);

// AN XML STRING FOR TEST DATA
$xml = '<?xml version="1.0"?>
<families>
  <parent>
    <child index="1" value="Category 1">Child One</child>
  </parent>
</families>'
;

// MAKE AN OBJECT (GIVES SimpleXMLElement)
$obj = SimpleXML_Load_String($xml);

// STORE THE OBJECT IN THE SESSION
$_SESSION['obj'] = $obj;
up
0
info.at.merchandisinginteractive.sk
6 years ago
A handy script that checks fot the presence of uft-8 byte order mark (BOM) in all files in all directories starting on current dir. Combined from the work of other people here...

<?php
function fopen_utf8 ($filename) {
   
$file = @fopen($filename, "r");
   
$bom = fread($file, 3);
    if (
$bom != b"\xEF\xBB\xBF")
    {
        return
false;
    }
    else
    {
        return
true;
    }
}

function
file_array($path, $exclude = ".|..|design", $recursive = true) {
   
$path = rtrim($path, "/") . "/";
   
$folder_handle = opendir($path);
   
$exclude_array = explode("|", $exclude);
   
$result = array();
    while(
false !== ($filename = readdir($folder_handle))) {
        if(!
in_array(strtolower($filename), $exclude_array)) {
            if(
is_dir($path . $filename . "/")) {
                               
// Need to include full "path" or it's an infinite loop
               
if($recursive) $result[] = file_array($path . $filename . "/", $exclude, true);
            } else {
                if (
fopen_utf8($path . $filename) )
                {
                   
//$result[] = $filename;
                   
echo ($path . $filename . "<br>");
                }
            }
        }
    }
    return
$result;
}

$files = file_array(".");
?>
up
0
Charlie at NOSPAM dot example dot com
7 years ago
Be warned that depending on end of script to close the session will effectively serialize concurrent session requests.   Concurrent background "data retrieval" (e.g. applications such as AJAX or amfphp/Flex) expecting to retrieve data in parallel can fall into this trap easily.

Holding the session_write_close until after an expensive operation is likewise problematic.

To minimize effects, call session_write_close (aka session_commit) as early as practical (e.g. without introducing race conditions) or otherwise avoid the serialization bottleneck.
up
0
schlang
7 years ago
if you store your sessions in a database, always ensure that the type of the database column is large enough for your session values
up
0
info at vanylla dot it
7 years ago
If while testing locally on your Windows machine you get many warnigns like:

Warning: session_start()... failed: No such file or directory
Warning: session_start()...: Cannot send session cache limiter - headers already sent
etc.

you need to configure properly the session.save_path in your php.ini file.

Set session.save_path to an existing folder on your PC.
For example: session.save_path="C:\Temp";
up
0
jphansen at uga dot edu
8 years ago
I just wrote that session_start() will erase your querystring variable(s) once called. I want to clarify that it will only do this if a variable by the same subscript is defined in $_SESSION[].
up
0
leandroico---at---gmail---dot---com
9 years ago
TAGS: session_start headers output errors include_once require_once php tag new line

Errors with output headers related to *session_start()* being called inside include files.

If you are starting your session inside an include file you must be aware of the presence of undesired characters after php end tag.

Let's take an example:
> page.php
<?php
include_once 'i_have_php_end_tag.inc.php';
include_once
'init_session.inc.php';

echo
"Damn! Why I'm having these output header errors?";
?>

> i_have_php_end_tag.inc.php
<?php
$_JUST_A_GLOBAL_VAR
= 'Yes, a global var, indeed';
?>

> init_session.inc.php
<?php
session_start
();
$_SESSION['blabla'] = 123;
?>

With all this stuff we will get an error, something like:
"... Cannot send session cache limiter - headers already sent (output started at ...", right?

To solve this problem we have to ignore all output sent by include files. To ensure that we need to use the couple of functions: *ob_start()* and *ob_end_clean()* to suppress the output. So, all we have to do is changing the *page.php* to this:

<?php
ob_start
();
include_once
'i_have_php_end_tag.inc.php';
include_once
'init_session.inc.php';
ob_end_clean();

echo
"Woo hoo! All right! Die you undesired outputs!!!";
?>
up
0
design at ericcorriel dot com
9 years ago
For those encoding their pages in UTF-8 but running into problems with BOM data (Byte Order Marks) being outputted before anything else - such as $_SESSION data - but wish to use UTF-8 encoding, and who do NOT wish to use UTF-8 No BOM encoding because the latter produces weird results when using foreign language accented characters, try the following :

- Save your document with UTF-8 No BOM encoding (on a mac, using BBEdit, this is normally found on the very bottom left corner of the window).  This will produce a document that will not output BOM data.
- then, in your scripts, include the following: 

header('Content-Type: text/html; charset=UTF-8');

before your call to session_start()

hope that helps someone.
up
0
ben dot morin at spaboom dot com
10 years ago
James at skinsupport dot com raises a good point (warning) about additional requests from the browser.  The request for favicon.ico, depending on how it is handled, can have unintended results on your sessions. 

For example, suppose you have ErrorDocument 404 /signin.php, no favicon.ico file and all pages in your site where the user signs in are also redirected to /signin.php if they're not already signed in. 

If signin.php does any clean up or reassigning of session_id (as all good signin.php pages should) then the additional request from the browser for favicon.ico could potentially corrupt the session as set by the actual request. 

Kudos to James for pointing it out and shame on me for skimming past it and not seeing how it applied to my problem.  Thanks too to the Firefox Live HTTP Headers extension for showing the additional request. 

Don't waste days or even hours on this if your session cookies are not being sent or if the session data isn't what you expect it to be.  At a minimum, eliminate this case and see if any additional requests could be at fault.
up
0
James
10 years ago
To avoid the notice commited by PHP since 4.3.3 when you start a session twice, check session_id() first:

if (session_id() == "")
  session_start();
up
0
james at skinsupport dot com
10 years ago
One thing of note that caused me three days of trouble:

It's important to note that Firefox (for one) makes two calls to the server automatically.  One for the page, and one for favicon.ico.

If you are setting session variables (as I was) to certain values when a page exists, and other values when pages don't exist, the values for non-existent pages will overwrite the values for existing pages if favicon.ico doesn't exist.

I doubt many of you are doing this, but if you are, this is a consideration you need to address or you'll be bald over the course of a three day period!
up
0
jorrizza at gmail dot com
11 years ago
If you open a popup window (please no commercial ones!) with javascript window.open it might happen IE blocks the session cookie.
A simple fix for that is opening the new window with the session ID in a GET value. Note I don't use SID for this, because it will not allways be available.

----page.php----
//you must have a session active here
window.open('popup.php?sid=<?php echo session_id(); ?>', '700x500', 'toolbar=no, status=no, scrollbars=yes, location=no, menubar=no, directories=no, width=700, height=500');

----popup.php----
<?php
session_id
(strip_tags($_GET['sid']));
session_start();
//and go on with your session vars
?>
up
0
hbertini at sapo dot pt
11 years ago
workaround when using session variables in a .php file referred by a frame (.html, or other file type) at a different server than the one serving the .php:

Under these conditions IE6 or later silently refuses the session cookie that is attempted to create (either implicitly or explicitly by invoquing session_start()).

As a consequence, your session variable will return an empty value.

According to MS kb, the workaround is to add a header that says your remote .php page will not abuse from the fact that permission has been granted.

Place this header on the .php file that will create/update the session variables you want:

<?php header('P3P: CP="CAO PSA OUR"'); ?>

Regards,
Hugo
up
-1
alakys
5 years ago
Sorry for the noob comment but for those having the error :

Warning: session_start(): Cannot send session cache limiter - headers already sent ...

And before trying all the solutions added by the experts, simply ensure to have your php code before even the DOCTYPE tag like this (and not between the doctype and html tags as I was doing):

<?php session_start(); ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Test Page</title>
</head>

<body>
etc ....

It might sound funny but I am sure this post will save time to some others noobs like me ... !
up
-1
m dot kuiphuis at hccnet dot nl
13 years ago
[Editors Note: For more information about this
http://www.zvon.org/tmRFC/RFC882/Output/chapter5.html ]

I use name-based virtual hosting on Linux with Apache and PHP 4.3.2.
Every time when I refreshed (by pressing F5 in Internet Explorer) I noticed that I got a new session_id. Simultaneously browsing the same site with Netscape didn't give me that problem. First I thought this was some PHP issue (before I tested it with Netscape), but after searching a lot on the internet I found the problem.
Since I was using name based virtual hosting for my testserver and we have different webshops for different customers I used the syntax webshop_customername.servername.nl as the domain-name.
The _ in the domain name seemed to be the problem. Internet Explorer just denies setting the cookie on the client when there is a special character (like an _ ) in the domain name. For more information regarding this issue: http://support.microsoft.com/default.aspx?scid=kb;EN-US;316112
Stupidly enough, this information was related to asp (yuk :o)
up
-1
aladinfajr at gmail dot com
6 years ago
my problem was in
session_start();
when i include this term in my first code it show me Warning Message: Cannot Modfie cache limiter
i had tryed many solves and dosn't work

finally

i write my code in other encode
and it sccussfully worked

i hope that help
up
-2
gkemaldag at gmail dot com
5 years ago
For the error:

Warning: session_start(): Cannot send session cache limiter - headers already sent ...

this kind of errors would occur, when the encoding of your script file needs to send some headers just after your script starts to execute,

this happens mostly with the scripts using normal utf8 encoding.

To overcome the issue, use utf8(without BOM) encoding provided by notepad++ and most modern editors. Using utf8 encoding and cookie based sessions, will result in headers already sent by error.
up
-1
aban at datahouselibya dot com
8 years ago
for resolve the problem with session_start()
Cannot send session cache limiter - headers already sent (output started at ..."

write it at first line of the page like

<?php session_start(); ?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<body>
<?php $_SESSION['name']='mohamed'; ?>
</body>
<html>
To Top