PHP $_SESSION Implementation

Question

Does anyone know how PHP maps session IDs to $_SESSION arrays? In other words, given session ID x, where does PHP pull the values from to populate the $_SESSION array?

Answer 1

You can also write your own session handler to save the session to a database.

Also, if you want to make it harder to pin down the session ID, regenerate the session ID at strategic times (on privilege elevation, etc) -- or as often as you want.

Pass session_regenerate_id() the argument True to destroy the old session data.