Encoding and Decoding PHP Session Variables

Session variables are used to overcome the limitation of HTTP’s statelessness. Sessions implicitly perform encoding and decoding PHP session variables to prevent any possible threat to application data while transmission. PHP provides explicit methods to encode and decode the session variables.

By default PHP session data is stored as session variables when declared and initialized in a PHP script. The session variables are declared using $_SESSION superglobal. The encoding process converts session variables and the data in these variables in a serialized string format. Serialized means each session variable is identified by string index (name of the session variable).

 The format of the each session variable in encoded string is –


  • Index_of_variable- index name of the session variable as string.
  • Data-type- depends upon what is the data type of stored value(s for string, i for integer).
  • Length- the number of characters of the value of the session variable.
  • Value– value of the session variable.

Functions -Encoding and Decoding PHP Session Variables

PHP has two functions for encoding and decoding PHP session variables. These functions will give output only if the session has been previously started using session_start() function.


This function uses the currently initialized session variables. It returns a serialized string displaying all the session variables with their data lengths and the values.


This function accepts a serialized string as input and creates session variables from it. If this conversion is successful the session_decode function returns true.

Decoded session variables and their values are available as corresponding session variables. Session decode will automatically end the session. $_SESSION superglobal will still be available to access the values from the decoded serialized string.


The following example explains the working of these two functions.

Encoding and Decoding input form
<FORM method="post" >
<!--form created-->
<DIV style="border: 2px solid darkblue;padding:10px; align:center;width:50%">
User Name:<input type="text" name="user">
DOB:<input type="date"  name="dob">
<input type="submit" value="SUBMIT" name="submit">
// check if the form is submitted
if (isset($_POST['submit']))
	// Start Session
	//get form data
	//pass on the entered values in session variables
	echo( '<h1>Session Data entereed</h1>');
	echo( '<h3>Hello '. $user. '! your DOB is '.$dob.'</h3>');
	echo( '<h1>Session Data Encoded as serialized string</h1>');
	echo "<h3>".session_encode()."</h3>";
	//initialise a serialized string
	$sess_encoded='cust_name|s:10:"Sara Priet";cust_dob|s:10:"2020-12-31";';
	echo( '<h1>after decode</h1>');
	print_r( $_SESSION);

The output is displayed in  three stages.

Encoding and Decoding PHP Session Variables

First the data entered by the user is displayed. Next the session_encode function is called and the encoded data is displayed as a serialized string.

Next the session_decode() function is called. The encoded string with two elements string- cust_name and cust_dob, is passed as argument to session_decode function. Since these elements are different from the existing session variables, they are simply added to the $_SESSION superglobal by the decode function making a total of four session variables. The values of all the session variables is displayed with the print_r() function.

Be First to Comment

Leave a Reply

Your email address will not be published.