PHP $_SESSION Implementation

Question

Does anyone know how PHP maps session IDs to $_SESSION arrays? In other words, given session ID x, where does PHP pull the values from to populate the $_SESSION array?

Answer 1

With the default implementation of sessions (which can be replaced by a custom one if needed) the data is stored in local files. Your server receives the session ID from the client in a cookie, finds the corresponding local file on your server and populates data into $_SESSION.

Gaining access to this data requires file-level access on the server, which is not impossible, unless your server is secure enough.