What is a Session Identifier?


A session identifier is a nonce that represents uniquely a session.

Instead of storing session information (such as username, login, start time, …) directly, the server creates a nonce and sends it a session identifier. 1) When the server receives back another request with the session identifier, the server can look up the state information associated (in a database, in memory, or in a file).



In an HTTP context, the sessions are called:


The session ID length must be at least 128 bits (16 bytes). More info: Session_Management_Cheat_Sheet

Security Considerations

Using session identifiers is not without risk. The server should take care to avoid session fixation vulnerabilities.

You should:

More, see the owasp Session Management Cheat Sheet


  • Referrer is known
if (strpos($_SERVER['HTTP_REFERER'], 'http://vulnerable.example.com/') !== 0) {
    session_destroy(); // Destroy all data in session
session_regenerate_id(); // Generate a new session identifier
    session_destroy(); // Destroy all data in session
    session_destroy(); // Destroy all data in session
session_regenerate_id(); // Generate a new session identifier
  • Destroy on logout
if (isset($_GET['LOGOUT']) {

Session data without Session Identifier

This section is more a tip or another way to store session data than without any session identifier.

If you don't want to manage an external store (such as a database) to store your session data, you may also store your session data directly encrypted in a cookie

  • or JWE (JWT public information encrypted)

Discover More
Netstat Windows
Network - (Internet) Socket (Network identifier)

A socket is session identifier for a network connection to or from which information is transmitted in the network between a server (local machine) and a client (remote machine). This connection is implemented...
Oauth - Access Token

An access token is a token representing an access authorization created during: a implicit grant flow or a authorization code flow session identifier It is a string representing an access authorization...
Session Fixation

A session fixation attack proceeds in three steps. First, the attacker transplants a session identifier from his or her user agent to the victim's user agent. Second, the victim uses that session...
Netstat Windows
TCP - Socket (Endpoint)

A socket in the context of TCP. A TCP socket is a session identifier for each TCP connection and is the combination of: a local address: source host address, source port, a remote address...
Web Security - Session Identifier Cookie

A session cookie stores a session identifier in a cookie. HTTP servers commonly store the session identifier in a cookie. Using session identifier cookies limits the damage an attacker can cause if...
What is a Session? (authentication, tracking)

A session is used in authentication in order to store the identification data. After a user has been authenticated, the identification (the user name generally) is stored in the session and other requests...

Share this page:
Follow us:
Task Runner