Can PHP sessions be manually edited?

Can PHP sessions be edited like cookies? Or they'开发者_JAVA技巧re stored on the webhost?

The session key is stored in the client's browser, while the data is stored on the server.

When the user makes a request on the server, their session key is sent across the network and the values associated with their key are retrieved from the specific session file on the server and are made accessible via $_SESSION.

It it possible to hijack another user's session if the key is intercepted, which is why you should have specific values in the session which associate to the user's computer/network connection (IP address, for example).

Session data cannot be edited by the user, as they are stored on the server. The user can, however, start a new session and ditch whatever session data he previously had. Also, you should be aware of portential security issues, such as session fixation.

Usually they're stored in the /tmp directory of a webserver if the host isn't careful. This can be changed with session_save_path(), it's something I do with all of my PHP applications that use sessions.

This works like below:

1. Browser requests page, submitting your SID or Session ID with help of a cookie or with the URL.
2. Server finds cookie files inside the session_save_path() and unserializes the array
3. You access that info with PHP

Alas, the only thing the client knows is the session's ID, but that can be hijacked, for example by using cookie stealers, or other Cross Site Scripting methods. If I, for example, got your SO session, SO wouldn't know better than I was you. Unless they also check my IP or something like that.