tags:

views:

749

answers:

3
+2  Q: 

Is my understanding of PHP sessions correct?

I've been interested in how sessions work internally, but I have little knowledge of C (and am unsure where to look in the PHP source for this).

This is what I understand of sessions at the moment:

  1. When you start a session the user gets assigned a session id which is stored in a cookie.
  2. When session data is saved (via $_SESSION) it is stored on the filesystem, with the relevant session id and an expiry time.

Is this correct? Also what is the method in which session id are created? I assume it's based on time but what if two users send a request at the same time? What methods are in place internally to prevent them getting the same id?

Thanks,

+8  A: 

My understanding is of the internal session handling process is the following:

When session_start is called, PHP is looking for a parameter from the client that was sent via POST, GET, or in a cookie (depending on the configuration; see session.use_cookies, session.use_only_cookies, and session.use_trans_sid) with the name of the value of session.name to use the session ID of an already started session.

If it finds a valid session ID, it tries to retrieve the session data from the storage (see session.save_handler) to load the data into $_SESSION. If it can’t find an ID or its usage is forbidden, PHP generates a new ID using a hash function (see session.hash_function) on data of a source that generates random data (see session.entropy_file).

At the end of the runtime or when session_write_close is called, the session data in $_SESSION is stored away into the designated storage.

Gumbo  2009-02-07 13:11:23
+1  A: 

The session ID is probably just a random string of letters and numbers. Also it would be strange if PHP didn't check to see that it is unique and therefore cannot be the same for two users. As for (1) and (2), I'd say you're correct, but I haven't worked with PHP recently, so feel free not to believe me.

 2009-02-07 13:13:23
+6  A: 

Look at php_session_create_id in ext/session/session.c in the php source

It goes like this:

  • get time of day
  • get remote ip address
  • build a string with the seconds and microseconds from the current time, along with the IP address
  • feed that into configured session hash function (either MD5 or SHA1)
  • if configured, feed some additional randomness from an entropy file
  • generate final hash value

So getting a duplicate is pretty difficult. However, you should familiarise yourself with the concept of session fixation, which allows an attacker to potentially choose the session_id their target will adopt - see Sessions and Cookies for a good primer.

Paul Dixon  2009-02-07 13:16:44

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases