Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is my understanding of PHP sessions correct?

Tags:

php

session

I've been interested in how sessions work internally, but I have little knowledge of C (and am unsure where to look in the PHP source for this).

This is what I understand of sessions at the moment:

  1. When you start a session the user gets assigned a session id which is stored in a cookie.
  2. When session data is saved (via $_SESSION) it is stored on the filesystem, with the relevant session id and an expiry time.

Is this correct? Also what is the method in which session id are created? I assume it's based on time but what if two users send a request at the same time? What methods are in place internally to prevent them getting the same id?

Thanks,

like image 589
Ross Avatar asked Feb 07 '09 12:02

Ross


People also ask

Is PHP session reliable?

Sessions are significantly safer than, say, cookies. But it is still possible to steal a session and thus the hacker will have total access to whatever is in that session. Some ways to avoid this are IP Checking (which works pretty well, but is very low fi and thus not reliable on its own), and using a nonce.

How can I learn session in PHP?

A session is a way to store information (in variables) to be used across multiple pages. Unlike a cookie, the information is not stored on the users computer.

What is a PHP session explain in details?

A PHP session is used to store data on a server rather than the computer of the user. Session identifiers or SID is a unique number which is used to identify every user in a session based environment. The SID is used to link the user with his information on the server like posts, emails etc.

How do you check if there is a session in PHP?

You can check whether a variable has been set in a user's session using the function isset(), as you would a normal variable. Because the $_SESSION superglobal is only initialised once session_start() has been called, you need to call session_start() before using isset() on a session variable.


3 Answers

My understanding is of the internal session handling process is the following:

When session_start is called, PHP is looking for a parameter from the client that was sent via POST, GET, or in a cookie (depending on the configuration; see session.use_cookies, session.use_only_cookies, and session.use_trans_sid) with the name of the value of session.name to use the session ID of an already started session.

If it finds a valid session ID, it tries to retrieve the session data from the storage (see session.save_handler) to load the data into $_SESSION. If it can’t find an ID or its usage is forbidden, PHP generates a new ID using a hash function (see session.hash_function) on data of a source that generates random data (see session.entropy_file).

At the end of the runtime or when session_write_close is called, the session data in $_SESSION is stored away into the designated storage.

like image 191
Gumbo Avatar answered Sep 18 '22 18:09

Gumbo


Look at php_session_create_id in ext/session/session.c in the php source

It goes like this:

  • get time of day
  • get remote ip address
  • build a string with the seconds and microseconds from the current time, along with the IP address
  • feed that into configured session hash function (either MD5 or SHA1)
  • if configured, feed some additional randomness from an entropy file
  • generate final hash value

So getting a duplicate is pretty difficult. However, you should familiarise yourself with the concept of session fixation, which allows an attacker to potentially choose the session_id their target will adopt - see Sessions and Cookies for a good primer.

like image 22
Paul Dixon Avatar answered Sep 20 '22 18:09

Paul Dixon


The session ID is probably just a random string of letters and numbers. Also it would be strange if PHP didn't check to see that it is unique and therefore cannot be the same for two users. As for (1) and (2), I'd say you're correct, but I haven't worked with PHP recently, so feel free not to believe me.

like image 40
user61405 Avatar answered Sep 19 '22 18:09

user61405