Here is Example 2164 from php.net:
Hello visitor, you have seen this page times.
The PHP session mechanism ties a persistant associate array, $_SESSION, to the browser cookie PHPSESSID.
The PHP function session_start manages the session memory. This function detects whether the client has sent a session id. The client can send the session id as a cookie, meaning that it sends the HTTP Request Header value Cookie:.
GET /~burt/learning/Csc598.073/workbook/example2164.php HTTP/1.1 Host: www.cs.miami.edu ... Cookie: PHPSESSID=dd03368813bf18206e3d3d913e19008e
HTTP/1.x 200 OK Date: Thu, 31 May 2007 15:19:10 GMT ... Set-Cookie: PHPSESSID=7ae6e86417cb9a01115f992cc8eb30e5; path=/
It is absolutely necessary that the php code that instructs the server to obtain the session id occur before any script output. Else the server has already closed the sending of response headers in order to begin the sending of the HTTP content body, and therefore cannot send the response header, if needed.
The session id creates an auto global array $_SESSION and initializes it with the session variables known to the session. Between requests, this array is stored as a file. One technicality which PHP handles is the removal of these files. PHP application programers want to use sessions casually, but each session creates a file, and these files must be eventually destroyed. A reaper process within PHP destroys these session files when it determines them to no longer be live. In case the determination was faulty, the session start mechanism must be prepared to receive cookies which reference deleted sessions and react appropriately.
Example 2164 from php.net shows how to use session variables. It creates or updates the count variable.
The session id can be sent by POST or GET as a named variable, instead of as a cookie. This behavior can be turned of in the PHP configuration file because it is dangerous!. Sessions are often used to establish an authenticated channel between server and browser. That is, the presence of the session id encourages the server to act in privileged ways on the client's behalf. Therefore, the session id is powerful information and should not escape the browser-server communication channel.
However, Example 2164 describes exactly how to do this. Cut and paste the following URL into a fresh browser. For instance, go to a second computer and use a browser on that computer.
http://www.cs.miami.edu/~burt/learning/Csc598.073/workbook/example2164?=session_name()?>==$_COOKIE[session_name()]?>
It is dangerous to utilize this alternative avenue for transmitting the session id, if you also assume that the session id is private. Utilizing session ids in this manner has its place, but if you want that a session binds one browser, on one computer, with the server, you can see that this is no longer true for our experiment. The two computers are sharing a session, since they share session id's.
Session fixation is the name for various hacker techniques related to disclosure of a session id. These techniques attempt to influence the session id of the victim so that the attacker knows the session id. The attacker might send a query URL such as we have constructed, to place the victim in a session of the attacker's chosing.
Please read more about session fixation and try to create examples of your own, so that you thoroughly understand the possiblities. Then write your code to avoid those possiblities. As a general rule of thumb, secure code is a defense against all attacks, known and unknown.
To destroy a session, three things must be accomplished: