Re: PHP Session

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



James Nunnerley wrote:
> ...
> 
> It works a treat, however what I want to understand is how the session is
> kept relevant to that particular user's session - mainly because my boss
> wants to check there's no security implication.
> 
>  ...
> 

The session is stored on the server, typically in a file in /tmp.
This gives the additional security needed for your type of application
because the data is never directly seen by the user.

The link to the user is provided by a variable, typically stored as a
cookie though it can be passed via GET if cookies are disabled.  The
variable contains a random string which links to the temporary session
file.  All the handling of the session, retrieving the data etc. is done
by PHP for you.


An example of this in practice:

The first page starts a session, setting $_SESSION['foo'] = 'bar';
A cookie is created in the header, setting the variable PHPSESSION =
'232323';
At the end of the request a file /tmp/sess_232323 is created, this
contains a slight variant of serialize($_SESSION);

The second page starts a session, php grabs $_COOKIE['PHPSESSION'] and
looks up the file /tmp/sess_232323, reading in the data.
You can now access $_SESSION['foo'].


The above is slightly simplified but it gives you a good idea of what
happens and some of the security risks that remain.  Most of the fixed
strings I used above are configurable including the variable used in the
cookie, the timeout for the cookie, the location of the session files,
the starting bit of the session file and how quickly the server side
session files are deleted.


David

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux