I understand that SESSION variables are stored in PHP.
But, if I close my browser, then go back to the page, how does PHP know that previously set session belongs with my browser?
Ip address?
If it uses an IP, couldn't someone just fake an IP address and login to other users accounts because that is how PHP associates the session with the browser?
分享 From the docs (emphasis mine):
Sessions are a simple way to store data for individual users against a unique session ID. This can be used to persist state information between page requests. Session IDs are normally sent to the browser via session cookies and the ID is used to retrieve existing session data. The absence of an ID or session cookie lets PHP know to create a new session, and generate a new session ID.
When a new session is started PHP generates a random string. This ID is then sent back to the browser as a cookie value. Subsequent requests pass this cookie back to the server so it can be looked up and know it's the same user coming back. The random session ID makes it hard for others to guess and gain access to another person's session.
In the most recent version of PHP you can set the length of the session ID if you're concerned it's easy to guess. But statistically the defaults for session ID generation are not a concern for most websites.
The session.name configuration determines the cookie name in the browser. By default it is PHPSESSID.
分享
