Re: Session variables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The session data is stored on the server. In the user's browser, only a
session cookie is stored, usually a random session id string. I could never
retrieve the session variables with any browser tools, always only with PHP
by echoing them out or something. Also, a cookie is simply a text file with
a maximum of 4096 characters on the user's browser, not enough to store big
session variables with big objects. So, the user's browser just stores a
cookie with the session id, so that the server knows which user to map to
which session variables. The session variables (in PHP) are stored in the
temporary directory on the server in a text file (flattened or serialized),
where the server can retrieve them across requests. This is important for
security reasons. You might not want the user to be able to view certain
variables in their browser otherwise they could change them and cause some
damage, e.g. imagine a user has a permission level between 1 and 10 and 1 is
the super user. You can store this level in a session variable, and the user
cannot change it. If they could, it would be a disaster! Also, if one could
store more than 4096 characters, it would be relatively easy to write out
some session variables in order to flood the browser memory and make it
crash or even worse.

Oh, and the Cookies, as far as i know, are always sent in the http headers.
They are stored on both client and server and can be set on both sides, with
javascript or server side code (php). So they can only be checked in every
request by the server side code, and while javascript is being executed on
the client.

Please correct me if I'm wrong because I would need to review a lot of code
in which it is assumed that session variables are NOT stored on the user's
machine.


Makes sense?

Regards,
Tim

Tim-Hinnerk Heuer

http://www.ihostnz.com


On Sat, Feb 7, 2009 at 8:11 PM, Phpster <phpster@xxxxxxxxx> wrote:

> A Session is stored on the user browser in a session ( in memory cookie)
> and on the server as a file. The session mgmt tools will read the file as
> needed.
>
> Bastien
>
> Sent from my iPod
>
>
> On Feb 7, 2009, at 1:58, Paul M Foster <paulf@xxxxxxxxxxxxxxxxx> wrote:
>
>  I'm not too clear on HTTP headers, cookies, and such. So here are
>> questions related to that. Let's say I generate a random number that I
>> want the user to enter in a form. When I generate the number, I store it
>> in a session variable ($_SESSION). When the user submits the form, I
>> check the number they enter with what I've stored in the session
>> variable.
>>
>> Since this session variable survives across page loads (assuming
>> session_start() is appropriately called), how is it stored and recalled?
>>
>> Is it automatically stored as a cookie on the user's system?
>>
>> Or is it stored on the server?
>>
>> And how does a server "get" a cookie?
>>
>> Is it a separate request made by the server to the client?
>>
>> If the value I've asked the user for is *not* stored as a cookie, then
>> is it passed as part of the HTTP submission or what?
>>
>> Thanks for any enlightenment on this.
>>
>> Paul
>> --
>> Paul M. Foster
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux