It is possible to use PHP sessions without a cookie by adding the session ID to url’s, however by default it is done by a single cookie being stored with a unique session ID. The server stores the actual session values, the users browser stores their unique ID for the server to request each time.
PHP sessions uses a cookie called PHPSESSID and is typically stored in the /tmp/ directory on the web server itself. The way the server knows to associate a given session with a given request is that it’s also stored in an HTTP cookie
Using sessions within PHP code
In a standard PHP application, a session would be started using the session_start function at the very top of the PHP scripting
if ( !isset($_SESSION)) session_start();
Sessions timeout by default after 24 minutes. You can change this via php.ini, but it is done this way to protect against hackers trying to hijack old sessions so consider if you should.
$_SESSION['my_session_name'] = "YES"; if (isset($_SESSION['my_session_name']) && ($_SESSION['my_session_name'] == 'YES')) $Something = 1; unset($_SESSION['my_session_name']);
Clearing all $_SESSION values for a user
You don’t call session_destroy() from usual code, instead do this:
//Unset all of the session variables $_SESSION = array();