The $_SESSION superglobal is used to store data on the server that persists across multiple requests from the same user.

Unlike cookies, session data is not stored in the browser. Instead, PHP stores session data on the server and gives the browser a small identifier (a session ID), usually via a cookie called PHPSESSID. On each request, the browser sends this ID back, allowing PHP to retrieve the correct session data.

To use sessions in PHP, session_start() must be called at the beginning of the request. This initializes the session and makes the $_SESSION array available. Any values stored in $_SESSION will remain available across page loads for that user, until the session expires or is destroyed.

Sessions are commonly used for authentication state, user identity, and temporary data that should not be exposed to the client. In WordPress and plugins like MemberPress, sessions are usually abstracted away, but the underlying concept is the same.

Key points:

• Session data lives on the server
• The browser only stores a session ID
• session_start() is required before accessing $_SESSION
• Sessions are used for login state and temporary data