Session IDs

Last updated on
20 September 2016

Session support in PHP allows one to preserve data across subsequent accesses. A visitor accessing your website is assigned a unique ID, the so-called session ID. The session ID is stored in a cookie on the user side and sent to your website on every page request.

Drupal stores the session ID alongside user IDs in the database. On every page access Drupal receives the session ID from the visitor's browser. It then checks the session table to find the associated user ID. The user ID determines which permissions the visitor has on the site.

To keep the system secure it is imperative to keep the session ID secret. If you write a module you should never output session IDs so they can be read by other users. This would allow users to hijack the session of someone else.

Be aware that while your output may not be visible in a page, for example because you send it as part of an AJAX request, it can still be read when the user employs a sniffer such as Wireshark or Fiddler.