问题
As per my understanding, PHP processes doesn't behave as application server process. So, after the execution of a script the PHP process retains no user specific data. It instead stores them in the user's cookie. So whatever we store in $_SESSSION goes into cookies. Is this true? If yes then are they stored in clear text or some encoding or encryption is done?
回答1:
No, the only thing that goes into the session cookie is the ID of the session - a random alphanumeric string. All the session data is stored on the server in a file (using the default session handler, though you can override to store the data anywhere/any way you want).
回答2:
No, that is not true. Only the session's ID is stored in the session cookie. The session data is all stored server-side (albeit in plain text, by default).
回答3:
The 'cookie' that is stored on a client computer is a session id. The 'session' itself resides on the server. When a page is requested during a session, the session id is appended to the query string which lets the server know what session to load for this request.
Unless the session id is stolen (and the session 'hijacked'), sessions are secure. You can protect against this (somewhat) by storing the IP Address and the User Agent String that created the session in the session and comparing these against the requesting IP Address and User Agent string for each page access. Just remember that these rely on HTTP headers and can be spoofed.
回答4:
The cookies are just identifiers store in the client. These are given to the server with each HTTP request. The server then matches the cookie identifier with stored data and retrieves the correct values for $_SESSION.
来源:https://stackoverflow.com/questions/7070744/is-storing-data-in-php-session-insecure