session path

[jimfog]

I have set a directory in my localhost(a location in my HDD) as session.save_path. In that location i see files such as sess_ubhgs6me9p1l4j2h1rci2mal15. Does the above file hold the session ID of the visitor -which is unique?

[boen_robot]

The file name itself holds the session ID. The file contains the session data.

[jimfog]

Regarding the session data, you mean the value(s) that are stored in the $_SESSION array?I think that session data were supposed to be stored in the server.And another question. Does this file gets created every time the visitor(the registered one) comes in the site?

[justsomeguy]

Regarding the session data, you mean the value(s) that are stored in the $_SESSION array?

Right, normally stored in URL-encoded fashion like a query string.

I think that session data were supposed to be stored in the server.

The file is on the server, isn't it?

Does this file gets created every time the visitor(the registered one) comes in the site?

The file gets created when the session is started if it isn't already there.

[jimfog]

Right, normally stored in URL-encoded fashion like a query string.

The file is on the server, isn't it?

Oh...yes you are right,developing the application locally I forgotten that a server runs in my machine. Then...what gets stored in the cookie(if the session ID file holds the contents of $_SESSION array ) and where am I going to find it? I know that the cookie gets stored in the user's PC.Is it stored in the browser?

[justsomeguy]

Then...what gets stored in the cookie

The session ID.

Is it stored in the browser?

It's not stored "in" the browser, the browser is a program. It's stored *by* the browser, as a file on disk somewhere usually. Every browser has a way for you to examine, edit, and delete the cookies that it uses. Both the PHP session files and cookies are text files, you can open them in any text editor to see what's inside them. For cookies, the interface in the browser will give information about the options for the cookie also.

[jimfog]

The session ID.

In other words, you are saying(and correct if I am wrong) that session ID gets stored BOTH in the cookie AND as a name of a file in the serverwhere the session data is stored. And somehow, when a visitor(registered) comes in the site, PHP associates the session ID in the cookie with the file in the server. Correct?

[justsomeguy]

Session data doesn't necessarily need to be saved in files, but yes with the default session file handler the session ID is part of the filename. It's saved in the cookie because the browser needs to tell the server which session to use, that's how the server knows which session to use for that client. The server sets the cookie with the session ID it just created, and the browser sends the session ID back in the cookie so that the server knows which session to use for that client. There are other ways to store sessions though, if you wanted to then you could have PHP store sessions in a database and then it will look up a record in the database with the given session ID. With files though it uses the session ID in the filename, that's the fastest way using files to see if a certain session exists and get the data for it.

[Don E]

So if I understand correctly.. when we create a session, the server automatically creates a cookie on the clients'(users) computer and that cookie has information about the session that is stored on the server?

[boen_robot]

Yes, except that the only information the cookie has about the session is the session's ID - nothing more, and nothing less.

[Don E]

...thus why sessions are more safer than regular cookies for sensitive information... I see.. Thanks JSG and boen.