What is a Session Identifier?

About

A session identifier is a nonce that represents uniquely a session.

Instead of storing session information (such as username, login, start time, …) directly, the server creates a nonce and sends it a session identifier. ¹⁾ When the server receives back another request with the session identifier, the server can look up the state information associated (in a database, in memory, or in a file).

Usage

method of authentication: After successful authentication. The session is upgraded with user information.
Session tracking: to track user interaction by analytics session (called also visit), a virtual session id is created to track all interaction by visit.

Storage

In an HTTP context, the sessions are called:

cookie session
or cookieless session. The session identifier is stored on the path or a query parameter

Length

The session ID length must be at least 128 bits (16 bytes). More info: Session_Management_Cheat_Sheet

Security Considerations

Using session identifiers is not without risk. The server should take care to avoid session fixation vulnerabilities.

You should:

not accepts any session identifier,
not accepts session identifiers from query strings (only from cookie)
not allow cookies to transit without https. See secure cookie property
not allow cookie session to be read by javascript. See httpOnly
put security validations in place.

More, see the owasp Session Management Cheat Sheet

Validation

Referrer is known

if (strpos($_SERVER['HTTP_REFERER'], 'http://vulnerable.example.com/') !== 0) {
    session_destroy(); // Destroy all data in session
}
session_regenerate_id(); // Generate a new session identifier

Same client (Web - User Agent (UA)

if ($_SERVER['REMOTE_ADDR'] != $_SESSION['PREV_REMOTEADDR']) {
    session_destroy(); // Destroy all data in session
    $_SESSION['PREV_REMOTEADDR'] = $_SERVER['REMOTE_ADDR'];
}
if ($_SERVER['HTTP_USER_AGENT'] != $_SESSION['PREV_USERAGENT']) {
    session_destroy(); // Destroy all data in session
    $_SESSION['PREV_USERAGENT'] = $_SERVER['HTTP_USER_AGENT'];
}
session_regenerate_id(); // Generate a new session identifier

Destroy on logout

if (isset($_GET['LOGOUT']) {
    session_destroy();
}

Session data without Session Identifier

This section is more a tip or another way to store session data than without any session identifier.

If you don't want to manage an external store (such as a database) to store your session data, you may also store your session data directly encrypted in a cookie

in JWT format
or JWE (JWT public information encrypted)

¹⁾

Session Identifier - Section-8.4 of HTTP State Management Mechanism