PHP 8.4.0 RC3 available for testing

    session_id

    (PHP 4, PHP 5, PHP 7, PHP 8)

    session_idGet and/or set the current session id

    Description

    session_id(?string $id = null): string|false

    session_id() is used to get or set the session id for the current session.

    The constant SID can also be used to retrieve the current name and session id as a string suitable for adding to URLs. See also Session handling.

    Parameters

    id

    If id is specified and not null, it will replace the current session id. session_id() needs to be called before session_start() for that purpose. Depending on the session handler, not all characters are allowed within the session id. For example, the file session handler only allows characters in the range [a-zA-Z0-9,-]!

    Note: When using session cookies, specifying an id for session_id() will always send a new cookie when session_start() is called, regardless if the current session id is identical to the one being set.

    Return Values

    session_id() returns the session id for the current session or the empty string ("") if there is no current session (no current session id exists). On failure, false is returned.

    Changelog

    Version Description
    8.0.0 id is nullable now.

    See Also

    Improve This Page

    Learn How To Improve This PageSubmit a Pull RequestReport a Bug
    add a note

    User Contributed Notes 1 note

    up
    42
    Riikka K
    9 years ago
    It may be good to note that PHP does not allow arbitrary session ids. The session id validation in PHP source is defined in ext/session/session.c in the function php_session_valid_key:

    https://github.com/php/php-src/blob/master/ext/session/session.c

    To put it short, a valid session id may consists of digits, letters A to Z (both upper and lower case), comma and dash. Described as a character class, it would be [-,a-zA-Z0-9]. A valid session id may have the length between 1 and 128 characters. To validate session ids, the easiest way to do it use a function like:

    <?php

    function session_valid_id($session_id)
    {
    return     preg_match('/^[-,a-zA-Z0-9]{1,128}$/', $session_id) > 0;
    }

    ?>

    session_id() itself will happily accept invalid session ids, but if you try to start a session using an invalid id, you will get the following error:

    Warning: session_start(): The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'
    add a note
    To Top