Search code examples
phpsessioncookiessession-cookiessetcookie

How does PHP set the PHPSESSID into $_COOKIE superglobal variable without using the function setcookie() or setrawcookie()?

I'm learning PHP's most important and difficult to understand concepts viz. "Session and Cookies"

As per my understanding cookies can only be set into the browser by using either of setcookie() or setrawcookie() functions.

As per my understanding of session process, it works in following way.

  • Every session is started by using the session_start( ) function.
  • The session_start( ) function must come before any HTML, including blank lines, on the page.
  • The session_start( ) function generates a random Session Id and stores it in a cookie on the user's computer (this is the only session information that is actually stored on the client side.)
  • The default name for the cookie is PHPSESSID. To reference the session Id in my PHP code, I would therefore reference the variable $PHPSESSID (it's a cookie name)

Please correct me if my understanding is wrong anywhere in above explanation.

My doubt is as session is setting some value in $_COOKIE superglobal it's nowhere using any of the functions setcookie() or setrawcookie() then still how could session id gets stored as a cookie variable?

If I assume that the session id is set as a cookie variable and setccookie() or setrawcookie() might have been called internally then what are the parameter values set while calling either of the functions setccookie() or setrawcookie() to set the cookie value?

Thank You.

Solution

  • The default name for the cookie is PHPSESSID. To reference the session Id in my PHP code, I would therefore reference the variable $PHPSESSID

    No, it is just the name of the cookie, it will not be set as a global variable. You can access the value in $_COOKIE['PHPSESSID']. But really, this should not concern you at all, you should only use the session_* functions and the $_SESSION superglobal to interact with PHP's session API, the underlying cookie being used is none of your concern for most intents and purposes.

    … it's nowhere using any of the functions setcookie() or setrawcookie()

    If I assume that the session id is set as a cookie variable and setccookie() or setrawcookie() might have been called internally …

    Yes, PHP is calling some functions internally that will set the cookies. It's probably neither setcookie nor setrawcookie but some internal C function that sets the cookie. Again, it's none of your concern really. You just need to understand that calling session_start will somehow internally cause a cookie to be set.

    … then what are the parameter values set while calling either of the functions setccookie() or setrawcookie() to set the cookie value?

    Those are determined by the various session.cookie_* parameters you can set via session_set_cookie_params or ini_set.