This is a trickier concept than most of the stuff we've covered above, so I'm going to go into some background first. The protocol that we use today on the world wide web is HTTP. This much you probably know. It's a state-less protocol, which you probably didn't. What this means is that when someone requests a page, the page is sent and the connection is closed. End of story to the webserver. But for you, the application writer, you want some way to identify a single visitor through their visit, because they're not just getting one page.. they're getting a dozen as they browse, and maybe they typed in a password on that first page and don't want to have to log in to every page as they go through your site.
Netscape saw that this was an issue and their answer was the "magic cookie". A magic cookie is a little piece of text that a server gives the browser with their page. The cookie is stored on the browser and it has certain instructions with it, like how long it's supposed to last, and which servers it should give the cookie to. Then whenever the browser asks for a new page, it gives the cookie to the server as part of the request. So by giving data in a cookie to someone, then the webserver (and the application) can maintain variables across connections.
Now the problem with cookies is that people can read them, and they can change them, and they can make them up completely because they're on the browser and bad people have browsers just like good people do. So what session management does is that it keeps all the data, all the variables on the server, where they're much safer than on some guy's hard drive, and links the data to browsers with a unique number, a number that's very hard to guess. So now when a browser asks for a page, and gives its cookie, which has a long number in it, PHP can load the data in the session file with that number, and retrieve all the variables saved in it.
Which means that if your visitor logs in, you can save a $_SESSION['logged_in'] variable in the session file and every time you load a page, you start the session and see if $_SESSION['logged_in'] is set. Which means you don't have to make him log in on every page, and you can be sure that the user didn't fake a login by changing the cookie file.
You need to start a session before any data is sent.. similarly, you need to register session variables before any data is sent. Data means HTML.. your page. So do this code right at the start, with no white space before the top of the page.
<?
session_start();
$_SESSION['count']++;
echo "You have loaded this page " . $_SESSION['count'] . " times!";
?>
The default lifetime of a PHP session is 0, which means it's deleted when the browser closes. However, you can browse to other sites and then come back to this one, and the session will still exist.
Look up the "Session Management Functions" in the PHP manual -- you can even write your own handler to save sessions, storing data in a database or in a different format.
Remember, the thing that catches nearly everyone out when writing session code is getting everything done before the headers are sent. If you want to be sure this never happens, and don't mind a little performance hit, you can switch on output buffering in PHP.ini which makes PHP wait until has finished drawing the entire page before sending it, so you can send headers anywhere in the script without worrying about errors.
PHP Session management to persist user data securely
