Watcher: PHP Session Variables Tracker

live demonstration
view source code or retrieve from git://


PHP session variables are extremely handy for providing stateful (persistent) data between Web pages. Although they use cookies, they have a great advantage in that no personal or sensitive date is kept in the cookies – that information stays on the server. Session cookies are used solely to identify the correct information cache on the server. The use of session variables avoids the need to constantly pass large blocks of information between pages in POST or (worse, GET) parameters, which means avoiding the need to keep revalidating that information (we never trust anything coming from the Web, right?). Session variables are particularly good for keeping track of user authentication information without exposing sensitive information through page refreshes or passing around authentication tokens (particularly password hashes!) that can be intercepted and hacked.

Session variables can also sometimes be tricky to debug. Many developers use print_r($_SESSION) to dump the current contents of a session's stored variables. However, the output format is not the greatest, particularly with nested arrays. Moreover, trying to embed a print_r() statement in HTML code where its output will be seen and not overly disturb a page's layout can be challenging.

I developed a short standalone PHP script that fetches and displays PHP session variables. So long as this script (which of course must reside on the Web server) is accessed from the same browser using the same Web host name as the application being debugged, it will show the current session variables. The script has a number of refinements over print_r(), including converting NULL and Boolean values to visible values. It recursively expands arrays to an arbitrary number of levels, displaying array contents as indented and color-coded blocks. It also accepts a GET filter parameter to fetch variables only with a specified prefix, which is handy when session variables for several different applications may exist at one time. (This presumes each application is using a unique prefix for its own variables, a practice which I heartily encourage, not only to accommodate this script but also to avoid variable clashes between two applications.)

This utility is called watcher.php, and its code is available here. If you want to see the script in action, run the script watcher_test.php, which creates test session data on our server that can be examined as a whole or filtered by using the prefix search capability.

The code is well-documented, and several constants at the top control define indenting and color choices, so customizing the script to your own tastes should be easy.

The usual personal preference disclaimers: My background includes years of programming in C, so I prefer printf() over other PHP output functions: it has powerful formatting capabilities and allows for some very compact code. Also, PHP statements in my scripts are always in their own independentally indented code blocks, as I consider PHP code placed inline with HTML content to be a debugger's worst nightmare.

SSL Certificate