The session data is stored on the server. In the user's browser, only a session cookie is stored, usually a random session id string. I could never retrieve the session variables with any browser tools, always only with PHP by echoing them out or something. Also, a cookie is simply a text file with a maximum of 4096 characters on the user's browser, not enough to store big session variables with big objects. So, the user's browser just stores a cookie with the session id, so that the server knows which user to map to which session variables. The session variables (in PHP) are stored in the temporary directory on the server in a text file (flattened or serialized), where the server can retrieve them across requests. This is important for security reasons. You might not want the user to be able to view certain variables in their browser otherwise they could change them and cause some damage, e.g. imagine a user has a permission level between 1 and 10 and 1 is the super user. You can store this level in a session variable, and the user cannot change it. If they could, it would be a disaster! Also, if one could store more than 4096 characters, it would be relatively easy to write out some session variables in order to flood the browser memory and make it crash or even worse.
Oh, and the Cookies, as far as i know, are always sent in the http headers. They are stored on both client and server and can be set on both sides, with javascript or server side code (php). So they can only be checked in every request by the server side code, and while javascript is being executed on the client. Please correct me if I'm wrong because I would need to review a lot of code in which it is assumed that session variables are NOT stored on the user's machine. Makes sense? Regards, Tim Tim-Hinnerk Heuer http://www.ihostnz.com On Sat, Feb 7, 2009 at 8:11 PM, Phpster <phps...@gmail.com> wrote: > A Session is stored on the user browser in a session ( in memory cookie) > and on the server as a file. The session mgmt tools will read the file as > needed. > > Bastien > > Sent from my iPod > > > On Feb 7, 2009, at 1:58, Paul M Foster <pa...@quillandmouse.com> wrote: > > I'm not too clear on HTTP headers, cookies, and such. So here are >> questions related to that. Let's say I generate a random number that I >> want the user to enter in a form. When I generate the number, I store it >> in a session variable ($_SESSION). When the user submits the form, I >> check the number they enter with what I've stored in the session >> variable. >> >> Since this session variable survives across page loads (assuming >> session_start() is appropriately called), how is it stored and recalled? >> >> Is it automatically stored as a cookie on the user's system? >> >> Or is it stored on the server? >> >> And how does a server "get" a cookie? >> >> Is it a separate request made by the server to the client? >> >> If the value I've asked the user for is *not* stored as a cookie, then >> is it passed as part of the HTTP submission or what? >> >> Thanks for any enlightenment on this. >> >> Paul >> -- >> Paul M. Foster >> >> -- >> PHP General Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> >> > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
