7

As per my understanding, PHP processes doesn't behave as application server process. So, after the execution of a script the PHP process retains no user specific data. It instead stores them in the user's cookie. So whatever we store in $_SESSSION goes into cookies. Is this true? If yes then are they stored in clear text or some encoding or encryption is done?

AppleGrew
  • 9,302
  • 24
  • 80
  • 124
  • possible duplicate of [PHP Session Security](http://stackoverflow.com/questions/328/php-session-security) and [a few others](http://stackoverflow.com/search?q=[php]+session+security). – netcoder Aug 15 '11 at 20:57

4 Answers4

8

No, the only thing that goes into the session cookie is the ID of the session - a random alphanumeric string. All the session data is stored on the server in a file (using the default session handler, though you can override to store the data anywhere/any way you want).

Marc B
  • 356,200
  • 43
  • 426
  • 500
  • It's pseudorandom enough to count as "random" in my book. session IDs are not exactly trivially guessable. – Marc B Aug 15 '11 at 20:58
  • I suppose the smilie was insufficient to convey the intended joviality of the post. I totally agree, but I also felt like writing that. – cwallenpoole Aug 15 '11 at 21:05
6

No, that is not true. Only the session's ID is stored in the session cookie. The session data is all stored server-side (albeit in plain text, by default).

ceejayoz
  • 176,543
  • 40
  • 303
  • 368
3

The 'cookie' that is stored on a client computer is a session id. The 'session' itself resides on the server. When a page is requested during a session, the session id is appended to the query string which lets the server know what session to load for this request.

Unless the session id is stolen (and the session 'hijacked'), sessions are secure. You can protect against this (somewhat) by storing the IP Address and the User Agent String that created the session in the session and comparing these against the requesting IP Address and User Agent string for each page access. Just remember that these rely on HTTP headers and can be spoofed.

Jeff Lambert
  • 24,395
  • 4
  • 69
  • 96
0

The cookies are just identifiers store in the client. These are given to the server with each HTTP request. The server then matches the cookie identifier with stored data and retrieves the correct values for $_SESSION.

Jonathan M
  • 17,145
  • 9
  • 58
  • 91