session_start()

I have a page that is just:

<?php
session_start();
?>

The server response heade开发者_运维百科rs are showing:

HTTP/1.1 200 OK
Date: Fri, 01 Jul 2011 03:30:07 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=zOk****************; path=/
Content-Type: text/html

I was expecting a file in start/run/cookies something like:

user@mysite[1]

but there is none.

Why not?

My end point is to have the usual logged in / not logged in test for each page including the splash page ...

Session data is stored on the server and not on the client side. To store session data on client you have to enable session.use_only_cookies.

Have a look at the PHP manual at http://php.net/manual/session.security.php

Thanks all for your help.

I downloaded a program called fiddler which enabled me to see the characters that were passed back and forwards between my server and my client.

I created a php file [A] on my server that contained only

session_start();
echo "<a href='/testsessstill.php'>test again</a>";

I created a php file [B] testsessstill.php that just echoed "hi"

I called A from my browser.

PHPSESSID=xxxx in Client Request Header? NO
PHPSESSID=xxxx in Server Response Header? YES
Cookie file in Client computers cookie folder? NO
File in server /tmp folder? NO

I called B from the link in A

PHPSESSID=xxxx in Client Request Header? YES
PHPSESSID=xxxx in Server Response Header? NO
Cookie file in Client computers cookie folder? NO
File in server /tmp folder? NO

I searched my client computer for the presence of the string "SESSID" in any file and none was found.

Therefore, my belief AND CORRECT ME IF I AM WRONG is as follows:

When session_start() is called it returns a SESSID to the client in the headers, the SESSID is retained and is associated with the site the session relates to in memory of the client and is not written to file on the client.

When a client request header arrives with a value in PHPSESSID in the request header the server reads it but does not retain that SESSID anywhere. The value for SESSID is only present in memory on the client. The server does not return the SESSID in the response header to the client. If a request arrives with a SESSID in the header then the server accepts it as the SESSID.

[Obviously the next step is setting values associated with the SESSID but it helped me at least to explore the above first. It will help understand security I think].

How'd I go? That all an accurate assessment?

A session consist of two components:

• the actual session data on the server
• a cookie with a session id on the client

When starting a session, the server creates a random file in a system directory (configurable via session.save_path option) in which it stores all the data you write into $_SESSION. It sends a cookie to the client with a random session id. This session id just by itself is worthless, it just helps the server associate a certain session with a specific client. The client returns this session id cookie to the server on subsequent requests, which the server picks up when calling session_start() to re-activate an already existing session.

• There's no session data stored on the client, only the session id cookie.
• How and where that cookie is stored depends entirely on the browser in use.
• You need to call session_start() on every page you wish to use sessions.