4

Hi I know that sessions are in the server side , when a user logged into a site we create a session and store user data in that session , and that session ID is a unique one . if multiple users logged in to the same server sessions with unique session Id’s are created .

cookie is a small file that the server embeds on the user's computer. Each time the same computer requests a page with a browser.

in the browser cookie I have seen variables called SID and SSID are those referring to servers session ID ???

or

from what parameters of the cookie , session identify this is the correct user.

**when I send a request to the server

are those id's in cookie matched with the server session id ?

my question is how the server knows this is the correct user ??

I have the idea of sessions and cookies , but there combination in not clear .

actually I have searched this for very long time , and i asked my friends and they also seems they don't have a clear picture of this

please explain the scenario , thanks in advance.

Kanishka Panamaldeniya
  • 17,302
  • 31
  • 123
  • 193
  • 1
    possible duplicate of [Is my understanding of PHP sessions correct?](http://stackoverflow.com/questions/523703/is-my-understanding-of-php-sessions-correct) – Gumbo Feb 27 '14 at 12:41
  • Cookie stores session identifier. With each request, that identifier is sent to the server. The server looks at it and checks whether it matches any session it stores. If it does, the user is identified and session data are loaded. – lafor Feb 27 '14 at 12:47

4 Answers4

5

That's the point, the server can't know this.

More in detail:

The server generates a unique id, then this is id is send to the client and the client stores this id in his cookies, for every request the client sends his id so the server knows which session he has to take for this user but the problem is, if someone else knows the id because he's listening the network traffic, he can use the session id and the server thinks, it's the same client as before and he'll take the same session as before. This is called Session hijacking

To prevent this, you have to store the ip address for each session key and check if they match but event then it's not 100% sure because if the client is in a NAT secured network and the attacker is in the same network too, they'll have the same IP address for the server and the server can't distinguish the attacker and the client.

Follow this tutorial to make your sessions safer.

ReeCube
  • 2,545
  • 17
  • 23
  • Ree Cube . you are confusing me :P , so please explain the situation , thank you in advance :) – Kanishka Panamaldeniya Feb 27 '14 at 12:41
  • 1
    +1 for the very interresting link and security concerns – Laurent S. Feb 27 '14 at 12:52
  • 2
    *you have to store the ip address for each session key and check if they match*, then wait for a call from a pissed off client trying to access the site from behind a load balancing proxy. – lafor Feb 27 '14 at 12:58
  • 2
    My point is there are cases when client's IP can change with each request for perfectly valid reasons, so stating that you *have to* use an IP check when initializing sessions is simply a bad advice. You *can* do that if you don't mind making some people unable to use your site. – lafor Feb 27 '14 at 13:18
  • And what's your idea how to solve this security issue? – ReeCube Feb 27 '14 at 13:20
  • 1
    @ReeCube Store the session ID in a cookie only and protect the cookie both during transmission (using TLS/SSL and *Secure* cookie attribute) and on the client-side (using *HttpOnly* cookie attribute). – Gumbo Feb 27 '14 at 15:55
2

Cookies are sent together with every HTTP request, in the HTTP header. The session id stored in the session cookie is indeed used to match the user issuing the request with the session data on the server.

This presents a huge security hole when used over non-secured connection cause anyone intercepting the traffic could just copy this session cookie and use it to issue his own requests. That's why more and more sites (Facebook, Google, ...) are "https only" sites. If that was not the case, it would be quite easy to get user data on most wi-fi hotspots.

Laurent S.
  • 6,816
  • 2
  • 28
  • 40
2

When a session is initiated between the browser and server, a session id is generated. This sessionid is sent to browser in a Cookie. This cookie name can be configured, but by default it is PHPSESSID.

By default, php stores the session data in server's file system in a file named "sess_SESSION_ID" (SESSIONI_ID the same value what you have in the Cookie). All the data you write to session using $_SESSION['some_key'] = $some_val; are stored in this file.

So next time when you send a request to the server, your browser will send the Cookie in the header. By using this Cookie data php determines whether there is a active session. And using this Cookie, server knows which file and which data to read.

Ramesh
  • 4,223
  • 2
  • 16
  • 24
0

Cookies are stored on the client side.. and there lifetime can be set every time a user visits your Site a new session id value is generated. SID is just variable defined in php.ini and you can change them. so a cookie and Session ID are 2 different things

have a look here this would help you PHP cookies and sessions security for user accounts

Community
  • 1
  • 1
Ritin
  • 401
  • 6
  • 15