I have read in a lot of places like, session_start()
creates a cookie, session_start()
creates a cookiethat under default configuration of php.ini session_start()
creates generates a random sessionID
and stores it in a cookie on the user's browser. However, I could not find any reference to this in php.net. Is there a place where I can find some proper documentation and internal working of this?
Secondly, I want to understand a sequential step by step process of how a simple login system would look like in PHP in conjunction with the above, i.e session, the sessionID
generated and the associated cookie set by session_start()
. Please help providing a step-by-step process of this flow, like :- (Assuming that user User1 is already registered into the system and now he is trying to access a page which needs him to be logged into the system)
- User1 clicks the URL hxxp://restrictedPage.php (for example)
- System checks and see that User1 is not logged in - meaning say system checks to see if there is a valid sessionID apparently in place here. (So what exactly would be checked ?)
- Since the check (which I need help with) in step 2 fails user is redirected to login.php (say for example) that has the login form.
- On the login form user enters username and password and submits the POST form.
- Server side - authenticateUser.php (say for example) verifies the
$_POST['userName']
and$_POST['password']
with the db values. Let's assume that this checks returns true, i.e the username and password supplied by the user was correct. - What happens now from here on? Where does the session come into picture and when is the cookie with the
sessionID
created? When is it sent to the browser? - Now when the session is in place (which I need help with understanding how exactly) and the user comes to a landing page after the login, say, welcome.php which also has a link to restrictedPage.php and now when the user clicks on this link, how exactly is the session validated on the server? I mean the cookie holding the
sessionID
would be sent with this request, but where is it cross checked with thesessionID
already present on the server? Is it done explicitly (like we do for validating username and password from db) or is it taken care of automatically by PHP?