PHP $_SESSION Implementation

Question

Does anyone know how PHP maps session IDs to $_SESSION arrays? In other words, given session ID x, where does PHP pull the values from to populate the $_SESSION array?

Answer 1

By default, PHP uses the files session handler. These files are stored based on the session.save_path setting, but defaults to the system's temp directory (a highly insecure location, consider changing it)

This session handler stores each session as a serialized PHP array in a file named with the session ID.

If you can find out a session ID prior to it being cleaned up by the session garbage collection routine, it can be hijacked, as PHP does not internally do any sanity checks. You may wish to do your own by storing the user's IP address in the session and comparing it to their current IP, clearing the session if they don't match.

session.gc_maxlifetime controls how many seconds a session will be considered valid. After this point, the session has a small chance of being deleted every time a request occurs. Default is 1440 seconds (or 24 minutes).

By default, this chance is 1%, but can be altered by adjusting the session.gc_probability and session.gc_divisor values (they default to 1 and 100 respectively).

There are other session handlers as well, such as the ones included with the memcache or memcached extensions. There was once one based on the libmm shared memory library, but I believe that has been discontinued.