The Trials of Sessions

BrentNorin

Ok I have some questions about sessions. Yes I've looked around and stuff, but not very thouroughly (sp?) and I get confused with the manual. I really want to jump right into cookies, but I don't even really understand how my sessions are even working right now.

So what I know is that you need session_start() at the beginning of each page. I login and it sets $_SESSION['user'] = blah; and so on. Now just by putting session_start() at each page, how in the world does it know it has the right session! I know you can pass the SID along in the url, or a cookie, but just basically how does it work with nothing. I know it does because it works for me! 🙂

When I log out I use session_uset() followed by session_destroy(). Are there any security faults here?

At a glance it almost seems to simple. Am I skipping vital parts and leaving major security breaches? Help me along here. Oh and it might take me some time to leave followups.

Weedpacket

It doesn't have nothing; it has that SID. The client is given the SID, which it attaches to every request made. When the server extracts the request, it retrieves the SID, looks it up in its list of current sessions, and extracts the data it has stored under that SID.

You're probably using PHP's default of storing session data in a tmp directory. If you look in there while there are active sessions you'll see a bunch of files with SIDs in their names. The data in each of those files is the corresponding session data.

BrentNorin

Ok. Thats nifty. Its defaulted. How about my other questions?!