Tuesday, 27 December 2011

How PHP sessions work

This post is about how PHP sessions work, not how to use them as I'm sure most of you already know that and if not there are plenty of websites that will tell you.  I've just noticed that a fair few developers don't understand how they work, I think this is in part because a lot of places that teach you how to use them don't actually tell you how they work.  One problem with this approach is that by default PHP sessions are not all that secure but this is easily fixed, I'm hoping this post will explain how they work and highlight some of the potential security holes associated with PHP sessions.

Breif background on HTTP & Cookies
Websites use the Hypertext Transfer Protocol (HTTP) version 1.1 (RFC 2616 for those who like technical documentation) to send pages and data across the Internet, one of the problems with HTTP for developers is that it's a stateless protocol.  This means that nothing is saved between each server request (such as a page load) on the client and there is no reliable method of uniquely identifying a user between page requests.  I'm sure someone reading this has just thought that the users IP address would be unique but this isn't true as quite often many people will share the same IP address, for example a family household all using the same Internet connection will show up as all having the same IP address on your server.

People realised this problem and came up with cookies to extend HTTP (RFC 2109) and allow it to be stateful, more about how HTTP and cookies relate to each other will be covered in another post.  That was a basic overview of why cookies exists and what they try to achieve, to allow unique identification of users and remember the state of their browsing session.

I'm sure most of you are aware the are two other methods that can used called GET & POST variables but they are not directly related to this post and I'll be covering more about them and how they relate to PHP sessions in another post.  I just wanted to give a bit of information about cookies and why they exist as PHP sessions often use them.

How PHP sessions work
Firstly if used correctly sessions are the most secure method of storing data unique to a user and identifying them but it is reliant on things which are almost always outside of your control so no sensative data such as passwords should be stored in session variables.  In my opinion data stored in session variables should be hashed or encrypted where possible although a lot of the time this just wouldn't be practical or useful and just cannot be done, just worth keeping in mind.

When a PHP session is created firstly a random id is generated by the server which is used to uniquely identify the session.  A file is then created on the server (typically in the /tmp directory of your web server by default) with the generated id as its name and the session information such as the variables you have stored in that session are stored in a serialised form in that file.  A cookie is also set on the client browser and by default is named "PHPSESSID" with its value set to the same unique id used for the file name stored on the server.

Every time the client browser makes a request to the server it passes this cookie in the HTTP header to the server so it knows which session file is associated with the client and it unserialises it so you as a developer can access the session associated with the client as an array, using code such as $_SESSION['variable']'].

Most of what I've written above is just what happens by default but most of it can be changed either in the PHP script or in the php.ini file, some examples of what could be changed are:
  • The session id stored on the client is passed in the URL or as a post variable rather that as a cookie although this is less secure, more about that in the next post.
  • Making cookies the only method used to store the session id.
  • Ensuring cookies are only passed over a secured connection or only over HTTP (so JavaScript scripts cannot access it).
  • There are many more things, far more that I can list here, you can even write your own session handler rather than using the default one or store all your session data in a database rather than in a file.  For more information about what you can change have a look at the PHP manual, so you know a lot of these are settings in the php.ini file but if you don't have access to directly modify it you can use the ini_set function in your script.  I'll write another post in the future about storing sessions in a database but a very good explanation of it can be found on Chris Shiflett's website.
If you think anything I've written is incorrect, that I've missed something or just that you didn't understand something please leave a comment and I'll get right back to you.

No comments:

Post a Comment