Home » Php » What keeps a php session alive?

What keeps a php session alive?

Posted by: admin April 23, 2020 Leave a comment


Are sessions only kept alive each time you access a page with session_start(); or do other pages keep it alive too?

Example (with 30 minute timeout):


user accesses page with session_start();
25 mins later they access another session_start();
page session stays alive


user accesses page with session_start();
25 mins later they access a non-session_start(); page
session stays alive

Is 2 also true ?

How to&Answers:

There is always a session cookie set in your browser whenever you access a page which has session_start(). The cookie name will PHPSESSID if the website is using PHP(although the name can be changed). This session cookie contains a session id which helps the browser to maintain that session with the server.

You can check manually by browsing any website which has your session and then delete your browser cookies, your session will be lost.

In your case both 1 & 2 are correct.

2 is correct because the user already has accessed a page which has session_start() and your session id will be set for the next 30 mins and it will be present even if you accesse a page which does not have a session.

NOTE: But the page which you will be visiting if contains session_destroy(), your session will be destroyed.


Calling session_start() merely gives your code access to the session.

What keeps the session alive is your browser sending the session id (stored in a cookie) to the server, whether you use it or not.

Answer: They are both true.


Here’s the relevant part from the documentation

When a visitor accesses your site, PHP will check automatically (if session.auto_start is set to 1) or on your request (explicitly through session_start()) whether a specific session id has been sent with the request. If this is the case, the prior saved environment is recreated.


session_start() creates a session or resumes the current one based on a session identifier passed via a GET or POST request, or passed via a cookie.


This means if you don’t call session_start, the session will not be resumed and the expiration is not extended.


The session_start() is internal mechanism for php to access session and also to send session cookie to client browser.

  1. Case 1 is true: because user accessed a page with session_start() and then another similar page.
  2. Case 2 is only true if the session timeout is greater than 25 minutes between two visits.

In Case 2, the server will not send any session cookie, its a browser that includes cookie in the request header.


In the instant case the PHP session life of 30 minutes is kind of a “trick question” factor. The default and almost universal session life is 1440 seconds, or 24 minutes. So for most folks, the session data could have disappeared before the 25 minute mark.

This article tells some of the detail behind how PHP sessions work.


It doesnt have to do anything with the web pages, session interact with your browser by session id.

The session IDs generated by PHP are unique, random, and almost impossible to guess, making it very
hard for an attacker to access or change the session data. Furthermore, because the session data is stored
on the server, it doesn ’ t have to be sent with each browser request.

To start a PHP session in your script, you simply call the session_
start() function. If this is a new session, this function generates a unique SID for the session and sends it to the browser as a cookie called PHPSESSID (by default).
However, if the browser has sent a PHPSESSID
cookie to the server because a session already exists, session_start() uses this existing session:


The 1st statement is true unless you use different session name on both pages.

The 2nd statement is false.


If you want sessions’ on all of your pages, session_start() should be called on all of your pages.

Hence, 1 is CORRECT and 2 is CORRECT