2

How does PHP or any other language that is server side store sessions on client machines?

Could you help me out?

halfer
  • 19,824
  • 17
  • 99
  • 186
user2820823
  • 86
  • 1
  • 1
  • 9
  • 2
    Sessions aren't stored on the client, they're stored on the server. – David Sep 26 '13 at 18:56
  • The session on the server is referenced by a cookie that is automatically placed on the client machine. Every visit supplies that cookie code, which is used to look up the session details, usually from a file in temporary storage. If you start a session and store something in PHP, have a look at your cookies for the site - you'll see you have a new one. – halfer Sep 26 '13 at 18:59
  • @David *Usually aren't (and I would suggest shouldn't)..* However, Sessions *can* be implemented entirely in-cookie without a server store. And, I thought there was a (frowned upon?) PHP setting that allowed this .. – user2246674 Sep 26 '13 at 19:02
  • thnx... so how does php store sess id in browser – user2820823 Sep 26 '13 at 19:07

4 Answers4

2

Sessions are stored on the server. Either on the file system (often inside the tmp folder) or inside a database (if database session handling has been setup). Sometimes, they'll be stored in a caching daemon such as Memcached. Either way, session data is stored on the server and not on the client's machine.

On the client's side, you'll typically have a cookie, which contains the session ID that is used to link the user to the session data that is stored on the server. In certain circumstances, this ID may be forcefully appended to the URL, which is why you'll sometimes come across websites with PHPSESSID as a GET parameter in their URL.

Basically, when you visit a website, that site will read the PHPSESSID that is stored inside the cookie that is on your machine. It then uses that ID to find the session data that is relevant to your visit.

Community
  • 1
  • 1
Wayne Whitty
  • 19,513
  • 7
  • 44
  • 66
  • so how does php stores PHPSESSID into the browser cookie ? – user2820823 Sep 26 '13 at 19:05
  • @user2820823 Typically set after you make a HTTP request to the server in question. The server will respond with a HTTP response, which basically asks your browser if its cool to save cookie data on your machine. See http://en.wikipedia.org/wiki/HTTP_cookie#Setting_a_cookie – Wayne Whitty Sep 26 '13 at 19:08
  • thnx man....can you tell me how to code a compiler to do that ? – user2820823 Sep 26 '13 at 19:10
  • @user2820823 See http://en.wikipedia.org/wiki/HTTP_cookie#Setting_a_cookie and you'll get a good idea of how to "ask" the browser if its OK for you to set cookie data. Look into the Set-Cookie header. – Wayne Whitty Sep 26 '13 at 19:12
1

PHP stores a cookie in the user's browser. That cookies doesn't store any session data, it just uniquely identifies the user. The session data is stored on the server, and associated with the user's cookie.

So when a user makes a request, their session ID stored in the cookie is passed along with the request. The server can use that session ID to retrieve the actual session data and make it available to the PHP script.

christopher_b
  • 958
  • 5
  • 13
1

It's actually file based on the server. When you call session_start(), PHP creates a file on your server's HDD with anything you've stashed in that session. On the client end, they get a cookie (default called PHPSESSID) that contains the random string that corresponds to that file. PHP then uses a random garbage collection to delete old session files. If you want your sessions to last longer than the timeout in php.ini you can create your own session handlers to do things like store them inside something like memcached or your database.

Here's the section on the PHP website that's pertinent http://www.php.net/manual/en/session.configuration.php

Machavity
  • 30,841
  • 27
  • 92
  • 100
0

Yes - it is possible that "sessions [data is stored] on client machines".

While session data is usually stored server-side (using an identifier provided by the client, usually in form of a cookie), there is no reason why the session data must be stored server-side to achieve the same semantics1.

A session provider could store all session data in cookies directly. This means that all session data could be stored client-side; and there are such providers.

However, it is significantly more work to "securely" use cookie storage; i.e. encryption and MACs are the minimum additions required. (See Storing Session Data In Cookies: Problems And Security Concerns To Be Aware Of.)

1 Effectively the only "requirement" of session data is that, within a browser session, all windows/tabs must (be able to) share the same session data. Cookies are the easiest way to do this simply because they are transmitted by for each HTTP request according to some rules.

user2246674
  • 7,621
  • 25
  • 28