Does anyone know how PHP maps session IDs to $_SESSION arrays? In other words, given session ID x, where does PHP pull the values from to populate the $_SESSION array?
And given a session ID and the url it came from, is there any possibility of someone being able to gain access to the values in the $_SESSION array?
Session info is stored on server filesystem. There's configuration parameter session.save_path in php.ini. Some info about sessions security is given here: http://www.php.net/manual/en/session.security.php
Session data is usually stored in temporary files on disk (see the session.save_path setting) and the filename reflects the session ID.
In general, yes, if someone gets hold of another user's session ID and sends it along with his own request, he will gain access to that user's session. One way of solving this is to bind sessions to IP addresses and invalidate the session when a request arrives from a different address.
No, there is no possibility!
...unless your code or the code of any component used is insecure.
With the default implementation of sessions (which can be replaced by a custom one if needed) the data is stored in local files. Your server receives the session ID from the client in a cookie, finds the corresponding local file on your server and populates data into $_SESSION.
Gaining access to this data requires file-level access on the server, which is not impossible, unless your server is secure enough.
By default, PHP uses the files session handler. These files are stored based on the session.save_path setting, but defaults to the system's temp directory (a highly insecure location, consider changing it)
This session handler stores each session as a serialized PHP array in a file named with the session ID.
If you can find out a session ID prior to it being cleaned up by the session garbage collection routine, it can be hijacked, as PHP does not internally do any sanity checks. You may wish to do your own by storing the user's IP address in the session and comparing it to their current IP, clearing the session if they don't match.
session.gc_maxlifetime controls how many seconds a session will be considered valid. After this point, the session has a small chance of being deleted every time a request occurs. Default is 1440 seconds (or 24 minutes).
By default, this chance is 1%, but can be altered by adjusting the session.gc_probability and session.gc_divisor values (they default to 1 and 100 respectively).
There are other session handlers as well, such as the ones included with the memcache or memcached extensions. There was once one based on the libmm shared memory library, but I believe that has been discontinued.
You can also write your own session handler to save the session to a database.
Also, if you want to make it harder to pin down the session ID, regenerate the session ID at strategic times (on privilege elevation, etc) -- or as often as you want.
Pass session_regenerate_id() the argument True to destroy the old session data.