The main thing I wonder about is how the server knows when a session has ended, though. If the client no longer has the session ID stored (say, after closing their browser) and they try to ask the server for another session, it starts a new session. Does the server know to garbage collect the previous session data after some set amount of time? It seems to me like something that could be abused...
session.save_path
(e.g. /var/lib/php/sessions
), or the system's temporary directory if this is not set (usually /tmp
).Sessions are garbage collected periodically, either by PHP itself during a request, or by a cron job (e.g. on Debian this is the default). See http://php.net/manual/en/session.configuration.php#ini.session.gc-probability
The main thing I wonder about is how the server knows when a session has ended
He doesn't know. However he knows when a session has not been used since a certain period of time, so it can delete unused sessions.
Does the server know to garbage collect the previous session data after some set amount of time?
Yes. This is defined by the session.gc_maxlifetime
ini setting. Any session older than that will be deleted during a garbage collect. Garbage collect frequency can be tuned with the session.gc_probability
and session.gc_divisor
ini settings. (See doc.)
It seems to me like something that could be abused.
If you mean that someone may be able to create too many staled sessions on the server; yes this is probably true.