Is my understanding of PHP sessions correct?

Question

I've been interested in how sessions work internally, but I have little knowledge of C (and am unsure where to look in the PHP source for this).

This is what I understand of sessions at the moment:

1. When you start a session the user gets assigned a session id which is stored in a cookie.
2. When session data is saved (via $_SESSION) it is stored on the filesystem, with the relevant session id and an expiry time.

Is this correct? Also what is the method in which session id are created? I assume it's based on time but what if two users send a request at the same time? What methods are in place internally to prevent them getting the same id?

Thanks,

Answer 1

My understanding is of the internal session handling process is the following:

When session_start is called, PHP is looking for a parameter from the client that was sent via POST, GET, or in a cookie (depending on the configuration; see session.use_cookies, session.use_only_cookies, and session.use_trans_sid) with the name of the value of session.name to use the session ID of an already started session.

If it finds a valid session ID, it tries to retrieve the session data from the storage (see session.save_handler) to load the data into $_SESSION. If it can’t find an ID or its usage is forbidden, PHP generates a new ID using a hash function (see session.hash_function) on data of a source that generates random data (see session.entropy_file).

At the end of the runtime or when session_write_close is called, the session data in $_SESSION is stored away into the designated storage.