147

Session files are usually stored in, say, /tmp/ on the server, and named sess_{session_id}. I have been looking at the contents and cannot figure out how they really work.

Fetching the variable name and content from the file is easy. But how does PHP know what session belongs to whom?

The session_id seems totally random and one IP address can have several users, and each user can have several sessions if they have more than one browser window open.

So how does it work?

Fopa Léon Constantin
  • 11,863
  • 8
  • 48
  • 82
Christoffer
  • 25,035
  • 18
  • 53
  • 77

4 Answers4

224

In the general situation :

  • the session id is sent to the user when his session is created.
  • it is stored in a cookie (called, by default, PHPSESSID)
  • that cookie is sent by the browser to the server with each request
  • the server (PHP) uses that cookie, containing the session_id, to know which file corresponds to that user.

The data in the sessions files is the content of $_SESSION, serialized (ie, represented as a string -- with a function such as serialize) ; and is un-serialized when the file is loaded by PHP, to populate the $_SESSION array.


Sometimes, the session id is not stored in a cookie, but sent in URLs, too -- but that's quite rare, nowadays.


For more informations, you can take a look at the Session Handling section of the manual, that gives some useful informations.

For instance, there is a page about Passing the Session ID, which explains how the session id is passed from page to page, using a cookie, or in URLs -- and which configuration options affect this.

Pascal MARTIN
  • 395,085
  • 80
  • 655
  • 663
  • 6
    How does a mobile device (from a native app) handle sessions normally? Storing a session ID? Or is this were OAuth comes along? – Adam Waite Feb 24 '13 at 13:29
  • So are you saying PHP sessions are managed server-side, and that one should not expect to see the session variables themselves identified in the "Session Store" of the browser? – Dan Chase Dec 27 '20 at 18:40
29

How Does PHP Session Works

  • Firstly PHP creates a 16-byte long unique identifier number (stored as a string of 32 hexadecimal characters, e.g a86b10aeb5cd56434f8691799b1d9360) for an individual session.

  • PHPSESSID cookie passes that unique identification number to users' browser to save that number.

  • A new file is created on the server with the same name of unique identification number with sess_ prefix (ie sess_a86b10aeb5cd56434f8691799b1d9360.)

  • The browser sends that cookie to the server with each request.

  • If PHP gets that unique identification number from PHPSESSID cookie (on each request), then PHP searches in the temporary directory and compares that number to the file name. If both are the same, then it retrieves the existing session, otherwise it creates a new session for that user.

A session gets destroyed when the user closes the browser or leaves the site. The server also terminates the session after the predetermined period of session time expires. These are the simple mechanism steps that PHP is using to handle the session. I hope this article with help you to understand how PHP SESSION is working.

Umar Farooque Khan
  • 515
  • 1
  • 6
  • 17
Sohel Rana
  • 567
  • 5
  • 10
  • But if I am, say, logged-in to a certain site (aka: in a session), and open a new tab `mysite.com/cart`. I will also get my "Hello Joe Doe, 5 messages, here's your shopping cart list..." aka session information. – But why would the browser regarding this blank tab send any Session-ID alongside with the GET-Request? quick update: [Ah, found the answer :+)](https://stackoverflow.com/a/1336148/444255) – Frank N Jul 24 '18 at 11:23
  • Can i ask that how the session id can provide security?For example If the user inlogged, and arrive to his profile, than change the url parameter to access different user's profile, how can session id prevent this? – Andrewboy Apr 08 '20 at 21:03
4

The session ID is indeed random, and is passed in a cookie or in the URL, depending on configuration. You might already have seen this PHPSESSID=xxxx in some URLs, there is a cookie by that name too.

Julien Lebosquain
  • 40,639
  • 8
  • 105
  • 117
2

Sessions in PHP are started by using the session_start( ) function. Like the setcookie( ) function, the session_start( ) function must come before any HTML, including blank lines, on the page. It will look like this: <?php session_start( );?><html><head> ....... etc The session_start( ) function generates a random Session Id and stores it in a cookie on the user's computer (this is the only session information that is actually stored on the client side.) The default name for the cookie is PHPSESSID, although this can be changed in the PHP configuration files on the server (most hosting companies will leave it alone, however.) To reference the session Id in you PHP code, you would therefore reference the variable $PHPSESSID (it's a cookie name; remember that from Cookies?)

Akbor
  • 1,280
  • 1
  • 9
  • 11