update page now

    session_id

    (PHP 4, PHP 5, PHP 7, PHP 8)

    session_idGet and/or set the current session id

    Description

    session_id(?string $id = null): string|false

    session_id() is used to get or set the session id for the current session.

    The constant SID can also be used to retrieve the current name and session id as a string suitable for adding to URLs. See also Session handling.

    Parameters

    id

    If id is specified and not null, it will replace the current session id. session_id() needs to be called before session_start() for that purpose. Depending on the session handler, not all characters are allowed within the session id. For example, the file session handler only allows characters in the range [a-zA-Z0-9,-]!

    Note: When using session cookies, specifying an id for session_id() will always send a new cookie when session_start() is called, regardless if the current session id is identical to the one being set.

    Return Values

    session_id() returns the session id for the current session or the empty string ("") if there is no current session (no current session id exists). On failure, false is returned.

    Changelog

    Version Description
    8.0.0 id is nullable now.

    See Also

    Found A Problem?

    Learn How To Improve This PageSubmit a Pull RequestReport a Bug
    add a note

    User Contributed Notes 2 notes

    up
    47
    Riikka K
    11 years ago
    It may be good to note that PHP does not allow arbitrary session ids. The session id validation in PHP source is defined in ext/session/session.c in the function php_session_valid_key:

https://github.com/php/php-src/blob/master/ext/session/session.c

To put it short, a valid session id may consists of digits, letters A to Z (both upper and lower case), comma and dash. Described as a character class, it would be [-,a-zA-Z0-9]. A valid session id may have the length between 1 and 128 characters. To validate session ids, the easiest way to do it use a function like:

<?php

function session_valid_id($session_id)
{
    return preg_match('/^[-,a-zA-Z0-9]{1,128}$/', $session_id) > 0;
}

?>

session_id() itself will happily accept invalid session ids, but if you try to start a session using an invalid id, you will get the following error:

Warning: session_start(): The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'
    up
    0
    emmanuel at chazard dot org
    11 hours ago
    You need to be careful if your page is expected to be accessed via GET requests from a smartphone. 

I noticed that when I explicitly (or via JavaScript) refresh a page on my smartphone using Chrome, the browser sends three simultaneous GET requests to get a complete page. In these requests, cookies are reset and the session ID is renewed, which might lead your PHP script to believe that these are new connexions.

I could not determine which criteria the browser uses to decide how many different requests should be sent. However, this does not happen with pages obtained from a POST request.

A word of advice: forms should not use the GET method if their processing involves writing data (database, file, email, etc.), but only if the subsequent actions simply involve reading data.
    add a note
    To Top