Where are $_SESSION variables stored?

Question

Are $_SESSION variables stored on the client or the server?

Answer 1

The PHP session which is accessible via the global variable $_SESSION is stored on the server as files by default. Also the reference to it (called session_id) is stored on client side as browser cookies. If either of this is deleted, then the session becomes invalid.

You can change the storage to database/Redis/memcache etc. using PHP Custom Session Handlers. Also there are extensions available for different storage like sqlite, memcache and memcached.

Answer 2

In my Ubuntu machine sessions are stored at

/var/lib/php/sessions

and you have to sudo ls in this directory only ls it will throw

ls: cannot open directory '.': Permission denied

And on my Windows Wamp server php sessions are stored in

C:\wamp64\tmp

and if you install standalone php on windows then there is no value set by default

session.save_path => no value => no value

Answer 3

Many of the answers above are opaque. In my opinion the author of this question simply wants to know where session variables are stored by default. According to this:https://canvas.seattlecentral.edu/courses/937693/pages/10-advanced-php-sessions they are simply stored on the server by default. Hopefully, others will find this contribution meaningful.

Answer 4

The location of the $_SESSION variable storage is determined by PHP's session.save_path configuration. Usually this is /tmp on a Linux/Unix system. Use the phpinfo() function to view your particular settings if not 100% sure by creating a file with this content in the DocumentRoot of your domain:

<?php
    phpinfo();
?>

Here is the link to the PHP documentation on this configuration setting:

http://php.net/manual/en/session.configuration.php#ini.session.save-path

Answer 5

How does it work? How does it know it's me?

Most sessions set a user-key(called the sessionid) on the user's computer that looks something like this: 765487cf34ert8dede5a562e4f3a7e12. Then, when a session is opened on another page, it scans the computer for a user-key and runs to the server to get your variables.

If you mistakenly clear the cache, then your user-key will also be cleared. You won't be able to get your variables from the server any more since you don't know your id.

Answer 6

For ubuntu 16.10 are sessions save in /var/lib/php/session/...

Answer 7

I am using Ubuntu and my sessions are stored in /var/lib/php5.

Answer 8

One addition: It should be noted that, in case "/tmp" is the directory where the session data is stored (which seems to be the default value), the sessions will not persist after reboot of that web server, as "/tmp" is often purged during reboot. The concept of a client-wise persistence stands and falls with the persistence of the storage on the server - which might fail if the "/tmp" directory is used for session data.

Answer 9

On Debian (isn't this the case for most Linux distros?), it's saved in /var/lib/php5/. As mentioned above, it's configured in your php.ini.

Answer 10

As Mr. Taylor pointed out this is usually set in php.ini. Usually they are stored as files in a specific directory.

Answer 11

As mentioned already, the contents are stored at the server. However the session is identified by a session-id, which is stored at the client and send with each request. Usually the session-id is stored in a cookie, but it can also be appended to urls. (That's the PHPSESSID query-parameter you some times see)

Answer 12

They're generally stored on the server. Where they're stored is up to you as the developer. You can use the session.save_handler configuration variable and the session_set_save_handler to control how sessions get saved on the server. The default save method is to save sessions to files. Where they get saved is controlled by the session.save_path variable.