Page 1 of 1

Are PHP Sessions Client-side or Server-side?

Posted: Wed Sep 10, 2008 9:02 pm
by JellyFish
Php sessions and how they work seem really vague to me. When I read about sessions in the php.net manual it says something about cookies, so I'm suspicious that maybe the $_SESSION variables are stored and controlled by the user. I figure this because my established concept of cookies.

Is this the case; how secure are the sessions?

I appreciate any input on this subject and also maybe a detailed, yet comprehensible, resource for everything about php sessions and/or the basics of how they work.

Thanks for reading. :mrgreen:

Re: Are PHP Sessions Client-side or Server-side?

Posted: Wed Sep 10, 2008 9:18 pm
by Christopher
Session data is stored on the server. Cookies are stored in the client.

Re: Are PHP Sessions Client-side or Server-side?

Posted: Wed Sep 10, 2008 9:55 pm
by JellyFish
Okay, thanks for your reply dude.

What is the relationship between sessions and cookies; why is it mentioned on php.net?

Re: Are PHP Sessions Client-side or Server-side?

Posted: Wed Sep 10, 2008 10:14 pm
by Christopher
One of the methods PHP uses to track sessions is to use a cookie. If cookies are not available it still works, PHP also can use a parameter and some other methods to identify the session.

Re: Are PHP Sessions Client-side or Server-side?

Posted: Thu Sep 11, 2008 5:50 pm
by pickle
$_SESSION data is as secure as your server & the connection. If the user is connecting over plain text http, then the cookie can be sniffed & a third party can access the $_SESSION data. If the connection is over https, the cookie data is encrypted too (when it's being sent over the wire).

Re: Are PHP Sessions Client-side or Server-side?

Posted: Fri Sep 12, 2008 1:23 pm
by SteelSlasher
arborint wrote:Session data is stored on the server. Cookies are stored in the client.
Not necessarily, sessions can be stored in the RAM of your PC since you can view sessions in Firefox 2

Re: Are PHP Sessions Client-side or Server-side?

Posted: Fri Sep 12, 2008 2:20 pm
by pickle
SteelSlasher wrote:Not necessarily, sessions can be stored in the RAM of your PC since you can view sessions in Firefox 2
...Not PHP sessions. Maybe browser sessions, but that's something completely different. $_SESSION data is never transmitted to the browser unless explicitely echo'd or stored in $_COOKIE.

Re: Are PHP Sessions Client-side or Server-side?

Posted: Fri Sep 12, 2008 10:18 pm
by JellyFish
How are cookies used exactly?

What's sniffed?

Re: Are PHP Sessions Client-side or Server-side?

Posted: Sat Sep 13, 2008 7:07 am
by Mordred
A short HTTP primer:
All HTTP messages consist of a header and a body. Typical bodies are page content (in server->client messages) and POST data (in client->server messages). Headers have three major roles:
- Tell the other side things about the body (size, encoding)
- Carry info about the TCP connection (you don't need the details here)
- Carry additional data. Cookies and GET data travel here.

Thus, if someone is capable of catching HTTP messages in transit (aka sniffing), he has full access to all $_GET, $_POST and $_COOKIE data.

Re: Are PHP Sessions Client-side or Server-side?

Posted: Sat Sep 13, 2008 7:14 am
by VladSun
JellyFish wrote:How are cookies used exactly?

What's sniffed?
The session id. It's stored in the session cookie.