2

When I log in into my stackoverflow account, presumably stackoverflow creates a login session for me. Something like this:

$_SESSION['login'] = 1;

And this session is available just for my specific device. So I guess there is a thing of my device on the stackovetflow's server which it recognizes my device based on that thing.

All my question is what's that thing? What parameter of my device will be stored on the server? In other word how a session works just for a particular device?

Martin AJ
  • 6,261
  • 8
  • 53
  • 111
  • not just for device it will work for different browser too. – Niklesh Raut Jun 28 '16 at 14:11
  • @Rishi No, that's not true.. If I log in into stackoverflow by Chrome, I **will not** be log in into IE or FireFox. – Martin AJ Jun 28 '16 at 14:12
  • A random value is set in a cookie, this is the common identifier between your browser and the server. See http://stackoverflow.com/questions/7298974/how-the-session-work-in-asp-net – Alex K. Jun 28 '16 at 14:13
  • @AlexK. So if I copy all my device's cookies and paste it into another device, I will be log in at that device too? – Martin AJ Jun 28 '16 at 14:14
  • Probably yes, although a server might check other stuff besides the cookie (but most won't do that, as there is no obvious reason to do it) – Hans-Martin Mosner Jun 28 '16 at 14:25

1 Answers1

1

By default when a session is created it is identified by some string called the session key. By default in PHP this is stored as a cookie under the name PHPSESSID. e.g. PHPSESSID=absuk44ocvs55mkp6eh1gh58q3

This key can then be used to load session information. Session information can be stored in e.g. a file.

The session id can be used/stored by the client in multiple ways. In PHP it seems that it supports use of the session in the URL but also in cookies. Though the cookies can also be disabled.

Do note that certain websites based on php might also store the related data in a other way than a file. e.g. some might store it in a database.

In most cases however some data is stored in a cookie which is used to track the user.

Your example code:

$_SESSION['login'] = 1;

Would require a session_start() before setting the variable. This would either load the session (based on an existing valid session id) or create a new session (random session id, or passed session id depending on configuration). The 'login' and value would be stored locally on the server.

The next time the client connects, the session id is read and the data stored in $_SESSION can be retrieved based on this session id.

user254948
  • 1,036
  • 6
  • 14