Is My Understanding of PHP Sessions Correct

Is my understanding of PHP sessions correct?

My understanding is of the internal session handling process is the following:

When session_start is called, PHP is looking for a parameter from the client that was sent via POST, GET, or in a cookie (depending on the configuration; see session.use_cookies, session.use_only_cookies, and session.use_trans_sid) with the name of the value of session.name to use the session ID of an already started session.

If it finds a valid session ID, it tries to retrieve the session data from the storage (see session.save_handler) to load the data into $_SESSION. If it can’t find an ID or its usage is forbidden, PHP generates a new ID using a hash function (see session.hash_function) on data of a source that generates random data (see session.entropy_file).

At the end of the runtime or when session_write_close is called, the session data in $_SESSION is stored away into the designated storage.

Understanding sessions in PHP

1. Good question! I would assume that the default filesystem session handler would go off last access but not all filesystems support an atime timestamp. I'll see what I can find out on that front.
2. Sessions are by default stored as files on disc. They only take memory when loaded. Unless you've built a custom session handler that stores sessions in a RAM disc or in a memcache server or similar, or unless you're storing a huge amount of state in the user's session I doubt memory use will be a major concern.
3. When session_start() is called the previous session data is loaded into PHP. If the session has expired then there will be no session data to load and a new empty session will be created. So yeah, if you check for the existence of a variable in $_SESSION that you're expecting to always be there then you can use that to determine if the user's session has expired (but only after session_start() was called).
4. Simply set gc_max_lifetime to how long you want sessions to last in seconds. 600 is 10 minutes, 86400 is one day, etc.
5. Yes (with some caveats, see below).

There are a few things you need to be aware of with sessions though. First is that there's two components to a session: A server side state record that holds all the data stored in the session, and a client side token that PHP uses to associate a particular user with a particular state record. Normally the client side token is a cookie. Cookies have their own expiration date, so it's possible that the session can expire before the session state is due to do so. In that case the user will stop sending the token and the session state is effectively lost. If you're adjusting how long a session lasts you need to set both the server side state expiration time and the client side cookie expiration time.

As for stale state, the session garbage collection system doesn't always run every time session_start() is called. If it was the overhead would be crippling to a big PHP site with a lot of sessions. There are configuration options that specify the probability that the GC will run on any given invocation of session_start (I believes it defaults to 1%). If it doesn't run then a stale session record may still be treated as valid and used to populate $_SESSION. It probably won't have a serious effect on your system but it's something you need to bear in mind.

The correct way to use sessions?

your should create a methods for sessions
like:

function session_start(){
  session_start()
}
function session_create($key,$value){
  return   $_SESSION[$key] = $value;
}
function session_destroy(){
  session_destroy();
}

Check if PHP session has already started

Recommended way for versions of PHP >= 5.4.0 , PHP 7, PHP 8

if (session_status() === PHP_SESSION_NONE) {
    session_start();
}

Reference: http://www.php.net/manual/en/function.session-status.php

For versions of PHP < 5.4.0

if(session_id() == '') {
    session_start();
}

How exactly sessions and cookies combination , identify the correct user when a request send to the server

That's the point, the server can't know this.

More in detail:

The server generates a unique id, then this is id is send to the client and the client stores this id in his cookies, for every request the client sends his id so the server knows which session he has to take for this user but the problem is, if someone else knows the id because he's listening the network traffic, he can use the session id and the server thinks, it's the same client as before and he'll take the same session as before. This is called Session hijacking

To prevent this, you have to store the ip address for each session key and check if they match but event then it's not 100% sure because if the client is in a NAT secured network and the attacker is in the same network too, they'll have the same IP address for the server and the server can't distinguish the attacker and the client.

Follow this tutorial to make your sessions safer.

How do PHP sessions work? (not how are they used? )

In the general situation :

• the session id is sent to the user when his session is created.
• it is stored in a cookie (called, by default, PHPSESSID)
• that cookie is sent by the browser to the server with each request
• the server (PHP) uses that cookie, containing the session_id, to know which file corresponds to that user.

The data in the sessions files is the content of $_SESSION, serialized (ie, represented as a string -- with a function such as serialize) ; and is un-serialized when the file is loaded by PHP, to populate the $_SESSION array.

Sometimes, the session id is not stored in a cookie, but sent in URLs, too -- but that's quite rare, nowadays.

For more informations, you can take a look at the Session Handling section of the manual, that gives some useful informations.

For instance, there is a page about Passing the Session ID, which explains how the session id is passed from page to page, using a cookie, or in URLs -- and which configuration options affect this.

How exactly sessions and cookies combination , identify the correct user when a request send to the server

That's the point, the server can't know this.

More in detail:

The server generates a unique id, then this is id is send to the client and the client stores this id in his cookies, for every request the client sends his id so the server knows which session he has to take for this user but the problem is, if someone else knows the id because he's listening the network traffic, he can use the session id and the server thinks, it's the same client as before and he'll take the same session as before. This is called Session hijacking

To prevent this, you have to store the ip address for each session key and check if they match but event then it's not 100% sure because if the client is in a NAT secured network and the attacker is in the same network too, they'll have the same IP address for the server and the server can't distinguish the attacker and the client.

Follow this tutorial to make your sessions safer.

PHP sessions and session_start()

That's may be because that you have been redirected to another site during the process. And while you return from Paypal to your website, session_start() generated a new session id which your previously stored session variables are not linked to.

And when you removed session_start() (I don't think session should work without this on top), it used the old session id and never got regenerated. Hence, old session data are back!

This is just my assumption.

What happens if I don't call session_start()?

If you don't call session_start() than you won't have $_SESSION available. But if the page is a static html file anyway than you won't need $_SESSION for that page so you don't have to worry about it.

You only need it on pages where you do something with $_SESSION

---

Related Topics