James Nunnerley wrote: > ... > > It works a treat, however what I want to understand is how the session is > kept relevant to that particular user's session - mainly because my boss > wants to check there's no security implication. > > ... > The session is stored on the server, typically in a file in /tmp. This gives the additional security needed for your type of application because the data is never directly seen by the user. The link to the user is provided by a variable, typically stored as a cookie though it can be passed via GET if cookies are disabled. The variable contains a random string which links to the temporary session file. All the handling of the session, retrieving the data etc. is done by PHP for you. An example of this in practice: The first page starts a session, setting $_SESSION['foo'] = 'bar'; A cookie is created in the header, setting the variable PHPSESSION = '232323'; At the end of the request a file /tmp/sess_232323 is created, this contains a slight variant of serialize($_SESSION); The second page starts a session, php grabs $_COOKIE['PHPSESSION'] and looks up the file /tmp/sess_232323, reading in the data. You can now access $_SESSION['foo']. The above is slightly simplified but it gives you a good idea of what happens and some of the security risks that remain. Most of the fixed strings I used above are configurable including the variable used in the cookie, the timeout for the cookie, the location of the session files, the starting bit of the session file and how quickly the server side session files are deleted. David -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
