No, a session is stored on the server and cannot be accessed by the user. It is used to store information across the site such as login sessions.

不，会话存储在服务器上，用户无法访问。它用于存储整个站点的信息，例如登录会话。

Here is an example of the usage:

下面是一个用法示例：

<?php
session_start();
if (password_verify($_POST['password'], $hash)) {
    $_SESSION['auth'] = true;
}
?>

The session can then be accessed across the site to check to see if the user has been authenticated.

然后可以跨站点访问会话以检查用户是否已通过身份验证。

<?php
session_start();
if ($_SESSION['auth']) {
    echo "You are logged in!";
}
?>

The user cannot edit these values however the session's ID is stored on a computer through a cookie as a long random string. If an unauthorized user gains access to these strings it is possible for them to access the site.

用户无法编辑这些值，但是会话 ID 通过 cookie 作为长随机字符串存储在计算机上。如果未经授权的用户可以访问这些字符串，他们就有可能访问该站点。

PHP sessions are only secure as your application makes them. PHP sessions will give the user a pseudorandom string ("session ID") for them to identify themselves with, but if that string is intercepted by an attacker, the attacker can pretend to be that user.

PHP 会话只有在您的应用程序创建时才是安全的。PHP 会话会为用户提供一个伪随机字符串（“会话 ID”）以供他们识别自己，但如果该字符串被攻击者拦截，攻击者就可以伪装成该用户。

What to do

该怎么办

This information is taken from "Session Management Basics" in the PHP manual, but simplified a bit. Some things may have been missed. Be sure to read through that as well.

此信息取自PHP 手册中的“会话管理基础”，但稍微简化了一些。有些东西可能被遗漏了。一定要通读一遍。

1. Always use HTTPS

   • Prevents attackers from reading the session ID cookie

2. Enable session.use_strict_mode:

   • Rejects uninitialized session IDs
   • Ensures any sessions created are actually valid, so you can trust a prefix(eg, if the prefix is $userId-)

3. Enable sessions.use_only_cookiesand disable session.use_trans_sid

   • Avoids user sharing session ID accidentally by sharing a URL with the session ID in it
   • Prevents the session ID from appearing in a Refererheader

4. Periodically regenerate the session IDand invalidate old session IDs shortly after regenerating

   • If an attacker uses another user's session ID, regenerating will invalidate either the user's or attacker's session, depending on which makes the request that regenerates the ID. You can then track when someone tries to use a session that has been regenerated already, and invalidate the regenerated session at that point. The user will be able to log in, but the attacker (hopefully) won't be able to.

5. Optionally keep track of additional information in $_SESSIONthat relates to the request (IP address, user agent string, etc)

   • If an attacker somehow gains access to a session ID, this can possibly detect the intrusion before the attacker can access any data. However, keep in mind that this may worsen the user experience. For example, the IP address may change when the user switches from a mobile network to Wi-Fi, and the user agent string may change when their browser automatically updates. Adjust the data checked according to the tradeoffs your site is willing to deal with.

1. 一直使用 HTTPS

   • 防止攻击者读取会话 ID cookie

2. 启用session.use_strict_mode：

   • 拒绝未初始化的会话 ID
   • 确保创建的任何会话实际上是有效的，因此您可以信任前缀（例如，如果前缀是$userId-）

3. 启用sessions.use_only_cookies和禁用session.use_trans_sid

   • 通过共享包含会话 ID 的 URL 来避免用户意外共享会话 ID
   • 防止会话 ID 出现在Referer标题中

4. 定期重新生成会话 ID并在重新生成后不久使旧会话 ID 失效

   • 如果攻击者使用另一个用户的会话 ID，重新生成将使用户或攻击者的会话无效，具体取决于哪个发出重新生成 ID 的请求。然后，您可以跟踪某人何时尝试使用已重新生成的会话，并在此时使重新生成的会话无效。用户将能够登录，但攻击者（希望如此）将无法登录。

5. （可选）跟踪$_SESSION与请求相关的附加信息（IP 地址、用户代理字符串等）

   • 如果攻击者以某种方式获得了对会话 ID 的访问权限，这可能会在攻击者访问任何数据之前检测到入侵。但是，请记住，这可能会恶化用户体验。例如，当用户从移动网络切换到 Wi-Fi 时，IP 地址可能会发生变化，而当他们的浏览器自动更新时，用户代理字符串可能会发生变化。根据您的站点愿意处理的权衡调整检查的数据。

Answering this question needs 2 approaches:

回答这个问题需要两种方法：

1. PHP session IDs are hard enough to guess for most use cases. Not much harder or less hard than other widely used systems.

2. Trusting only a session cookie (and only the existance of a session cookie) seems not to go very far security-wise to me, no matter where this session cookie comes from - PHP or elsewhere.

1. 对于大多数用例，PHP 会话 ID 很难猜测。并不比其他广泛使用的系统更难或更难。

2. 仅信任会话 cookie（并且仅信任会话 cookie 的存在）对我来说似乎在安全方面并没有走得太远，无论此会话 cookie 来自何处 - PHP 或其他地方。

So, in short: PHP sessions are as secure, as your use of them makes them be. This is true for any session-cookie-based system I know of.

因此，简而言之：PHP 会话与您对它们的使用一样安全。对于我所知道的任何基于会话 cookie 的系统来说都是如此。

If do this:

如果这样做：

$_SESSION['user'] = $username;

Then $usernamewill not be directly stored in a cookie. Instead a unique session id will be generated and stored inside a cookie.

然后$username就不会直接存储在cookie中了。相反，将生成一个唯一的会话 ID 并将其存储在 cookie 中。

The info that you store in $_SESSIONis only stored server side and never sent to the client. On subsequent request by the client, the server will load the session data by the id stored in the cookie when you do session_start().

您存储的信息$_SESSION仅存储在服务器端，永远不会发送到客户端。在客户端的后续请求中，服务器将通过存储在 cookie 中的 id 加载会话数据session_start()。

It relatively secure. The only thing that can happen is that somebody could intercept the session id and thus steal the real users session. HTTPS can prevent that from happening though.

它相对安全。唯一可能发生的事情是有人可以拦截会话 ID，从而窃取真正的用户会话。HTTPS 可以防止这种情况发生。

Whatever answer you get on this topic you are most likely not going to be satisfied because there are so many different opinions on the topic. There are even entire books written about sessions and PHP security in general.

无论你在这个话题上得到什么答案，你很可能不会满意，因为关于这个话题有很多不同的意见。甚至还有整本关于会话和 PHP 安全的书籍。

The best answer you can hope to get here is probably "sessions are as safe as you want them to be". More work and a larger number of precautions will obviously make them safer to use but the implementation itself will consume more time. As with everything you are the one to measure how much safe is safe enough for your needs.

您希望在这里得到的最佳答案可能是“会话与您希望的一样安全”。更多的工作和更多的预防措施显然会使它们使用起来更安全，但实施本身会消耗更多的时间。与所有事情一样，您是衡量多少安全足以满足您的需求的人。

Since you are a C++ programmer, you only need to know that the session visible to the client side is just a pointer on a different address space (the server) and, therefore, the session cannot be accessed from the client mode.

由于您是C++程序员，您只需要知道客户端可见的会话只是不同地址空间（服务器）上的指针，因此无法从客户端模式访问会话。