Are PHP Sessions Client-side or Server-side?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Are PHP Sessions Client-side or Server-side?

Post by JellyFish »

Php sessions and how they work seem really vague to me. When I read about sessions in the php.net manual it says something about cookies, so I'm suspicious that maybe the $_SESSION variables are stored and controlled by the user. I figure this because my established concept of cookies.

Is this the case; how secure are the sessions?

I appreciate any input on this subject and also maybe a detailed, yet comprehensible, resource for everything about php sessions and/or the basics of how they work.

Thanks for reading. :mrgreen:
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Are PHP Sessions Client-side or Server-side?

Post by Christopher »

Session data is stored on the server. Cookies are stored in the client.
(#10850)
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Re: Are PHP Sessions Client-side or Server-side?

Post by JellyFish »

Okay, thanks for your reply dude.

What is the relationship between sessions and cookies; why is it mentioned on php.net?
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Are PHP Sessions Client-side or Server-side?

Post by Christopher »

One of the methods PHP uses to track sessions is to use a cookie. If cookies are not available it still works, PHP also can use a parameter and some other methods to identify the session.
(#10850)
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: Are PHP Sessions Client-side or Server-side?

Post by pickle »

$_SESSION data is as secure as your server & the connection. If the user is connecting over plain text http, then the cookie can be sniffed & a third party can access the $_SESSION data. If the connection is over https, the cookie data is encrypted too (when it's being sent over the wire).
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
SteelSlasher
Forum Newbie
Posts: 5
Joined: Fri Sep 12, 2008 12:54 pm

Re: Are PHP Sessions Client-side or Server-side?

Post by SteelSlasher »

arborint wrote:Session data is stored on the server. Cookies are stored in the client.
Not necessarily, sessions can be stored in the RAM of your PC since you can view sessions in Firefox 2
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: Are PHP Sessions Client-side or Server-side?

Post by pickle »

SteelSlasher wrote:Not necessarily, sessions can be stored in the RAM of your PC since you can view sessions in Firefox 2
...Not PHP sessions. Maybe browser sessions, but that's something completely different. $_SESSION data is never transmitted to the browser unless explicitely echo'd or stored in $_COOKIE.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Re: Are PHP Sessions Client-side or Server-side?

Post by JellyFish »

How are cookies used exactly?

What's sniffed?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Are PHP Sessions Client-side or Server-side?

Post by Mordred »

A short HTTP primer:
All HTTP messages consist of a header and a body. Typical bodies are page content (in server->client messages) and POST data (in client->server messages). Headers have three major roles:
- Tell the other side things about the body (size, encoding)
- Carry info about the TCP connection (you don't need the details here)
- Carry additional data. Cookies and GET data travel here.

Thus, if someone is capable of catching HTTP messages in transit (aka sniffing), he has full access to all $_GET, $_POST and $_COOKIE data.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Are PHP Sessions Client-side or Server-side?

Post by VladSun »

JellyFish wrote:How are cookies used exactly?

What's sniffed?
The session id. It's stored in the session cookie.
There are 10 types of people in this world, those who understand binary and those who don't
Post Reply