PHP $_SESSION Implementation

Question

Does anyone know how PHP maps session IDs to $_SESSION arrays? In other words, given session ID x, where does PHP pull the values from to populate the $_SESSION array?

Answer 1

Session data is usually stored in temporary files on disk (see the session.save_path setting) and the filename reflects the session ID.

In general, yes, if someone gets hold of another user's session ID and sends it along with his own request, he will gain access to that user's session. One way of solving this is to bind sessions to IP addresses and invalidate the session when a request arrives from a different address.