PHP login and $_SESSION

I have an existing webapp in php and js and I am trying to add authentication to it. I have figured out the part on how to create a login page and authenticate against my organisation’s LDAP server where multiple users have their accounts created.

My question is about the $_SESSION variable being same for all users who visit.

If a user visits the page and I set

$_SESSION["username"]="xyz";
$_SESSION["logged_in"]=true;

and then if another user logs in, will the $_SESSION variable be totally new for him or will the keys like "username" and "logged_in" be set with the previous user’s data?

If not, then how does PHP or the httpd webserver know whether the tab is closed or a new request has come in?

If I open multiple tabs in the browser (or multiple browser windows) will it all have the same $_SESSION variable in the backend?

Basically I have questions about the lifecycle of the $_SESSION variable.

Answer

When the server receives a HTTP request, a Session ID is generated by the server and is sent back to the browser. The browser stores the Session ID in a cookie so it can re-use it. The ID forms the link between the browser and server, so that the server can identify subsequent requests as coming from the same browser.

The browser then sends that Session ID to the server (in a HTTP header) in every request the browser makes to the same server. PHP uses that ID to find the right session data for that ID in its storage. The actual session data is private and never leaves the server. Only the ID goes to the browser.

All of this means it’s impossible for two users to share the same session data, because each session ID is unique. (It would technically be possible to steal another user’s session ID if they were using an insecure HTTP-only connection to the server and you were able to monitor their network traffic, or even with HTTPS using a man-in-the-middle attack, but that’s a whole other topic.)

If you close the browser, the session cookie is destroyed, by default. Therefore when you re-open the browser and go back to the same website, it will send a request without a session ID and will be given a new session ID by the server.

The other thing that would cause a new session to occur is if the session times out on the server. The server will have a session timeout value. It records what time a session was started and when the last request was made using that session ID. If no requests occur using a given session ID for timeout minutes after the last one, then the session ID will be destroyed and the browser will be given a new session ID next time a request occurs, regardless of whether it sent the previous one or not. This is usually why you find you’re logged out of a website if you don’t use it for a few minutes.

Leave a Reply

Your email address will not be published. Required fields are marked *