A session identifier is a nonce that represents uniquely a session.
Instead of storing session information (such as username, login, start time, …) directly, the server creates a nonce and sends it a session identifier. 1) When the server receives back another request with the session identifier, the server can look up the state information associated (in a database, in memory, or in a file).
In an HTTP context, the sessions are called:
The session ID length must be at least 128 bits (16 bytes). More info: Session_Management_Cheat_Sheet
Using session identifiers is not without risk. The server should take care to avoid session fixation vulnerabilities.
You should:
More, see the owasp Session Management Cheat Sheet
if (strpos($_SERVER['HTTP_REFERER'], 'http://vulnerable.example.com/') !== 0) {
session_destroy(); // Destroy all data in session
}
session_regenerate_id(); // Generate a new session identifier
if ($_SERVER['REMOTE_ADDR'] != $_SESSION['PREV_REMOTEADDR']) {
session_destroy(); // Destroy all data in session
$_SESSION['PREV_REMOTEADDR'] = $_SERVER['REMOTE_ADDR'];
}
if ($_SERVER['HTTP_USER_AGENT'] != $_SESSION['PREV_USERAGENT']) {
session_destroy(); // Destroy all data in session
$_SESSION['PREV_USERAGENT'] = $_SERVER['HTTP_USER_AGENT'];
}
session_regenerate_id(); // Generate a new session identifier
if (isset($_GET['LOGOUT']) {
session_destroy();
}
This section is more a tip or another way to store session data than without any session identifier.
If you don't want to manage an external store (such as a database) to store your session data, you may also store your session data directly encrypted in a cookie