“Session” as the term suggests is time-period when the client is interacting with the server.
HTTP however is a stateless protocol. i.e. Every request that goes to the Server is treated as a new request from a new client. So to glue the sessions funda with HTTP, the Scripting languages have to come up with something with which it can track the clients.
The most common way of enabling Sessions over HTTP is using cookies. A session cookie header is sent to the browser whose expiration time is valid until the browser window is closed.
This cookie is unique for every user. If you check the name of the cookie, it is “PHPSESSID” that is the common name for sessions in PHP, It can be changed by configuring php.ini. The value however is unique. The php engine keeps tracks of the Session IDs created, and never returns the same session ID, unless that ID was destroyed or if the server was restarted.
If the browser accepts the cookie, then the next request to the Server is sent with a Cookie header as
The Scripting engine picks up the Session ID associated with the request and populates all the Session variables to that request. In PHP we can obtain all the session variables using $_SESSION. In other languages like ASP you can obtain the reference with Session object. The scripting Engine makes sure that the Session variables are strored to a persistant state. Eg in PHP, By default, the session is saved as a serialized array in /tmp/sess_[session-name] file.
What if Cookies are disabled?
If cookies are disabled then there should be a way, in which the browser will pass the unique Session ID to the Server everytime it makes the request to the Server. In PHP, by default, transparent sessions are passed. If PHP detects that the Cookie header for session is not present, and yet session is initialized, then it rewrites the href tags and the forms.
PHP appends the Session name, value to the Query string to every link on that page. Further it creates a hidden input , with name as Session’s name i.e. PHPSESSID and value as the session ID.
The Session name-value pair is appended in the URL
<input type=”hidden” name=”PHPSESSID” value=”ab4ce8e2aa6adc423c0d4148f69ec373″ />
Hidden Input is created for the form.