0

I have an existing webapp in php and js and I am trying to add authentication to it. I have figured out the part on how to create a login page and authenticate against my organisation's LDAP server where multiple users have their accounts created.

My question is about the $_SESSION variable being same for all users who visit.

If a user visits the page and I set

$_SESSION["username"]="xyz";
$_SESSION["logged_in"]=true;

and then if another user logs in, will the $_SESSION variable be totally new for him or will the keys like "username" and "logged_in" be set with the previous user's data?

If not, then how does PHP or the httpd webserver know whether the tab is closed or a new request has come in?

If I open multiple tabs in the browser (or multiple browser windows) will it all have the same $_SESSION variable in the backend?

Basically I have questions about the lifecycle of the $_SESSION variable.

ADyson
  • 57,178
  • 14
  • 51
  • 63
Divyaanand Sinha
  • 366
  • 1
  • 3
  • 12
  • @JohnDoe ok are you saying the session data is stored in some cookie format on the browser side and when we open the page the session data from the browser is read and used to populate the php global $_SESSION variable? – Divyaanand Sinha Mar 11 '21 at 09:17
  • @DivyaanandSinha that's not quite correct, no. See my answer below, and read a bit more here: https://stackoverflow.com/questions/11142882/what-are-cookies-and-sessions-and-how-do-they-relate-to-each-other – ADyson Mar 11 '21 at 09:38
  • @JohnDoe `the sessions are stored in the browser`...not quite. The session ID is issued by the server and passed to the browser. The browser stores the Session ID, but it does not store the rest of the data. The rest of the data associated with each session is stored securely on the server. – ADyson Mar 11 '21 at 09:39

1 Answers1

2

When the server receives a HTTP request, a Session ID is generated by the server and is sent back to the browser. The browser stores the Session ID in a cookie so it can re-use it. The ID forms the link between the browser and server, so that the server can identify subsequent requests as coming from the same browser.

The browser then sends that Session ID to the server (in a HTTP header) in every request the browser makes to the same server. PHP uses that ID to find the right session data for that ID in its storage. The actual session data is private and never leaves the server. Only the ID goes to the browser.

All of this means it's impossible for two users to share the same session data, because each session ID is unique. (It would technically be possible to steal another user's session ID if they were using an insecure HTTP-only connection to the server and you were able to monitor their network traffic, or even with HTTPS using a man-in-the-middle attack, but that's a whole other topic.)

If you close the browser, the session cookie is destroyed, by default. Therefore when you re-open the browser and go back to the same website, it will send a request without a session ID and will be given a new session ID by the server.

The other thing that would cause a new session to occur is if the session times out on the server. The server will have a session timeout value. It records what time a session was started and when the last request was made using that session ID. If no requests occur using a given session ID for timeout minutes after the last one, then the session ID will be destroyed and the browser will be given a new session ID next time a request occurs, regardless of whether it sent the previous one or not. This is usually why you find you're logged out of a website if you don't use it for a few minutes.

ADyson
  • 57,178
  • 14
  • 51
  • 63
  • Thanks for the explanation. Does php by itself use some db or storage to keep track of the session ids and their related data? This also means like if a person with a particular session id comes visits the page then the $_SESSION variable will have the data only related to that particular id for that person right? – Divyaanand Sinha Mar 11 '21 at 09:48
  • https://stackoverflow.com/questions/454635/where-are-session-variables-stored already answers your first question there. – ADyson Mar 11 '21 at 09:54
  • And yes there are different session variables for each user - I mentioned in the answer that its impossible for two users to share the same session. It's easy to test this yourself - make a PHP script which writes a random number to the session, or accepts user input from a form and stores it in the session, and then outputs it again on screen. Go to that page from two different browsers on your machine, or from a regular window and and incognito window - you'll see that the data isn't shared. – ADyson Mar 11 '21 at 09:56
  • Thanks again. @ADyson. However one last question, you mentioned that ID is retrieved from the headers. If in my frontend code before loading the page I make a simple jquery call $.get("check_login.php") to the backend php script which has session_start() and all the other essential functionalities, will the ID be implicity passed as headers in the GET request above? I have seen many people saying included the php part in the webpage HTML code itself in the beginning but I don't want to mix the backend and frontend here. – Divyaanand Sinha Mar 11 '21 at 10:03
  • 1
    It's easy to try it and see. It's never been a problem for me - I'm pretty sure the browser attaches the info automatically. Use the Network tool to examine the request and see what headers and cookie information is actually sent. `I have seen many people saying included the php part in the webpage HTML code itself in the beginning `...that's probably for a different purpose. Depends on your application's design. – ADyson Mar 11 '21 at 10:06