Where are $_SESSION variables stored?

Question

Are $_SESSION variables stored on the client or the server?

on the server where you run the php application, for specific path you have to check with phpinfo() — postsrc, Jan 01 '18 at 13:51

score 196 · Accepted Answer · edited Oct 07 '17 at 11:49

The location of the $_SESSION variable storage is determined by PHP's session.save_path configuration. Usually this is /tmp on a Linux/Unix system. Use the phpinfo() function to view your particular settings if not 100% sure by creating a file with this content in the DocumentRoot of your domain:

<?php
    phpinfo();
?>

Here is the link to the PHP documentation on this configuration setting:

http://php.net/manual/en/session.configuration.php#ini.session.save-path

score 146 · Answer 2 · answered Jan 18 '09 at 13:08

146

As mentioned already, the contents are stored at the server. However the session is identified by a session-id, which is stored at the client and send with each request. Usually the session-id is stored in a cookie, but it can also be appended to urls. (That's the PHPSESSID query-parameter you some times see)

answered Jan 18 '09 at 13:08

troelskn

115,121
27
131
155

43

+1 because you've implied that cookies do not store the contents of $_SESSION (these contents are stored on the server, so are not vulnerable to modification by the client) – shufler Nov 11 '10 at 15:01
13

Excellent answer! I was searching for the question: "Why do sessions expire after deleting browser cache?". And you saved my day. – Pupil Jun 17 '13 at 07:50
2

server create file sess_7nu9p0fvidvva6ouaugqcc8292 аnd on browser alert(getCookie('PHPSESSID'));//7nu9p0fvidvva6ouaugqcc8292 – zloctb Oct 07 '13 at 07:30
3

Plus1 - For answering the question:" ...stored on the client or the server?" – Alex Vargas Oct 30 '16 at 22:44

score 24 · Answer 3 · answered Jan 18 '09 at 04:34

They're generally stored on the server. Where they're stored is up to you as the developer. You can use the session.save_handler configuration variable and the session_set_save_handler to control how sessions get saved on the server. The default save method is to save sessions to files. Where they get saved is controlled by the session.save_path variable.

score 21 · Answer 4 · answered Aug 08 '12 at 17:11

One addition: It should be noted that, in case "/tmp" is the directory where the session data is stored (which seems to be the default value), the sessions will not persist after reboot of that web server, as "/tmp" is often purged during reboot. The concept of a client-wise persistence stands and falls with the persistence of the storage on the server - which might fail if the "/tmp" directory is used for session data.

score 14 · Answer 5 · answered Jul 17 '13 at 09:15

14

I am using Ubuntu and my sessions are stored in /var/lib/php5.

answered Jul 17 '13 at 09:15

Vasyl Teraz

141
1
3

3

Thanks, that's all I wanted. Yeah, if they weren't in the usual spot, I'll need to crack open the INIs, but I just wanted to know "Hey, where are the sessions _usually_ stored?" /var/lib/php/sessions/ it is. – Eric L. Nov 24 '15 at 17:00

score 14 · Answer 6 · answered Jan 18 '09 at 21:23

14

On Debian (isn't this the case for most Linux distros?), it's saved in /var/lib/php5/. As mentioned above, it's configured in your php.ini.

answered Jan 18 '09 at 21:23

Hans

1,292
9
7

Brian Fisher · Answer 7 · 2009-01-18T17:18:42.457

8

As Mr. Taylor pointed out this is usually set in php.ini. Usually they are stored as files in a specific directory.

edited Jan 18 '09 at 17:18

answered Jan 18 '09 at 04:14

Brian Fisher

23,519
15
78
82

score 7 · Answer 8 · answered Mar 03 '17 at 09:27

7

For ubuntu 16.10 are sessions save in /var/lib/php/session/...

answered Mar 03 '17 at 09:27

Lukáš Kříž

630
7
5

score 1 · Answer 9 · answered Mar 19 '20 at 11:43

In my Ubuntu machine sessions are stored at

/var/lib/php/sessions

and you have to sudo ls in this directory only ls it will throw

ls: cannot open directory '.': Permission denied

And on my Windows Wamp server php sessions are stored in

C:\wamp64\tmp

and if you install standalone php on windows then there is no value set by default

session.save_path => no value => no value

score 0 · Answer 10 · answered Jul 15 '17 at 07:45

How does it work? How does it know it's me?

Most sessions set a user-key(called the sessionid) on the user's computer that looks something like this: 765487cf34ert8dede5a562e4f3a7e12. Then, when a session is opened on another page, it scans the computer for a user-key and runs to the server to get your variables.

If you mistakenly clear the cache, then your user-key will also be cleared. You won't be able to get your variables from the server any more since you don't know your id.

score 0 · Answer 11 · answered Oct 15 '19 at 12:42

Many of the answers above are opaque. In my opinion the author of this question simply wants to know where session variables are stored by default. According to this:https://canvas.seattlecentral.edu/courses/937693/pages/10-advanced-php-sessions they are simply stored on the server by default. Hopefully, others will find this contribution meaningful.

score 0 · Answer 12 · answered Jan 07 '22 at 08:29

The PHP session which is accessible via the global variable $_SESSION is stored on the server as files by default. Also the reference to it (called session_id) is stored on client side as browser cookies. If either of this is deleted, then the session becomes invalid.

You can change the storage to database/Redis/memcache etc. using PHP Custom Session Handlers. Also there are extensions available for different storage like sqlite, memcache and memcached.

Where are $_SESSION variables stored?

12 Answers12

Linked

Related