Session IDs... are they really necessary?

[JaxonBridge]

Hello,

 

I've been working with PHP for many years, but I've just started creating a login-based site for the first time that goes beyond simple htaccess techniques I've used before to control access.

 

I'm reading and testing the session commands in PHP, and they seem straightforward enough. The only thing I do not understand is the mention of sending session ids either through cookies or URLs after a user has logged in. This is a very naive question, probably, but why would either be necessary? What's wrong with just using the $_SESSION array to store information between pageviews of the same session? It would seem that doing this propagates information as easily as a cookie or a URL string, if not more easily. I'm confused why additional methods are necessary.

[PFMaBiSmAd]

The only way to associate the correct session data on the server with a http request by the correct browser is by a unique identifier that comes with the http request, i.e. the session id. Therefore, either the URL must contain the session id or the session id must be sent as data that makes up the http request.

[andrewgauger]

Yeah, until recently I was confused about the session thing, but let me know what I figured out:

 

The sessionID is like the key to a box that holds your $_SESSION global.  The only way in is using that key. 

 

Hope it helps.

[JaxonBridge]

I'm still confused because in my tests, I can connect to the same web pages from three different browsers. I am not using a session ID, but am merely using an incremental page counter as part of the _SESSION array that shows how many pages that particular session has viewed. This number is different for each browser, implying three different and effective sessions going simultaneously without the use of an SID. I can move around in each browser across the session's pages, and the incremental counter only changes for that browser. Thus the _SESSION variable content does remain unique across different http requests from different users, without SID... right ?

[PFMaBiSmAd]

without the use of an SID

 

What makes you think the web server and browsers are not passing a session id cookie back and forth?

[JaxonBridge]

This had not occurred to me because I thought you had to program the creation of a cookie yourself as part of the PHP. Are you saying that this is handled automatically by basic session commands?

[anups]

HTTP is stateless protocol, It cannot store variables and values.

to overcome this drawback sessions are implemented.

 

you cannot access the cookie set by different browsers in any language.. let it be JSP, asp.net, ROR anything..

Due to security reasons.

 

this is the reason "_SESSION variable content does remain unique across different http requests from different users"

 

[JaxonBridge]

So if I understand everyone, the use of a cookie is automatically attempted by PHP whenever you use start_session. You do not need to manually script the setting of the cookie, is this right? This explains how it works as it does in my tests among different browsers, even though I used no cookies in my code.

[ChemicalBliss]

It depends on a php.ini variable.

 

You either use session cookies (to store the SID), or you pass the SID through the URL.

If, for instance, a browser does not accept cookies, you can pass the SID through a _GET request, and the session functionality will pick up on it.

 

The Session data is stored on the SERVER. It is accessed when the Session ID is passed to php, it reads and writes to these files, you can actually view and edit these files, although i believe they are in binary, or encoded at least.

 

Session files are a quick and easy way of storing temporary individual data, but session files can and do remain for a set duration (again in php.ini under garbage collection). This also means that there is a very small (the more sessions, the more likely) chance that someone could in fact guess, or 'stumble' upon an already active session, one that is logged in for instance.

 

Google: PHP Sessions

 

For more information. Also check out php.net/sessions

 

-cb-