The term "session" is overloaded to mean different things on the server and in the browser. Browser sessions are at best tenuously connected to server sessions. "Session hiHymaning" refers to server sessions.

术语“会话”在服务器和浏览器中表示不同的含义。浏览器会话充其量只能微弱地连接到服务器会话。“会话劫持”是指服务器会话。

Server-side, a session has an ID (which is passed between the client and server), content (stored on the server) and potentially other properties, such as last access time. The session ID is usually passed as a cookie. In PHP the default name for the cookie is "PHPSESSID". If cookies aren't available, PHP will (optionally) use a query string parameter of the same name ("PHPSESSID"). This cookie (or query param) can easily be changed and therefore the session identifier can be changed too.

在服务器端，会话具有 ID（在客户端和服务器之间传递）、内容（存储在服务器上）和潜在的其他属性，例如上次访问时间。会话 ID 通常作为 cookie 传递。在 PHP 中，cookie 的默认名称是“PHPSESSID”。如果 cookie 不可用，PHP 将（可选）使用同名的查询字符串参数（“PHPSESSID”）。此 cookie（或查询参数）可以轻松更改，因此会话标识符也可以更改。

The contentsof a session (i.e. containing the login state of a user) cannot be changed by the client, the data is stored on the server and can only be changed by a PHP script on that server. Note that in a shared-hosting environment (shared by other services or users), the sessions can be overwritten if using the default session storage directory (/tmp). To protect against that, either use a database through session_set_save_handler()or set a custom session directory using session.save_pathwith the proper directory permissions set (preferably 700 which means that only the owner (the PHP user) can read and write to it).

客户端不能更改会话的内容（即包含用户的登录状态），数据存储在服务器上，只能由该服务器上的 PHP 脚本更改。请注意，在共享托管环境（由其他服务或用户共享）中，如果使用默认会话存储目录 ( /tmp) ，会话可能会被覆盖。为了防止这种情况，要么使用数据库，要么使用适当的目录权限集session_set_save_handler()设置自定义会话目录session.save_path（最好是 700，这意味着只有所有者（PHP 用户）可以读取和写入它）。

To protect against session hiHymaning, you must have other ways to identify the user against a session. This can be a user agent, IP address or another cookie. The previously mentioned methods are just workarounds, best way to protect against stealing of the session cookie is by using HTTPS if a session is involved. Do not forget to set the httponlyflag to trueusing session_set_cookie_params()

为了防止会话劫持，您必须有其他方法来针对会话识别用户。这可以是用户代理、IP 地址或其他 cookie。前面提到的方法只是解决方法，防止会话 cookie 被窃取的最佳方法是在涉及会话时使用 HTTPS。不要忘记将httponly标志设置为true使用session_set_cookie_params()

Client-side, "session" is again overloaded and used in various contexts (e.g. session managers, which restore open pages when a browser is opened, session cookies and sessionStorage). We can try to combine these meanings (into what is by no means a standard one) by saying a browser session consists of a collection of views and their associated data. (By "view" I mean roughly tabs in tabbed browsers and windows in non-tabbed browsers; the DOM windowobject exposes a view to JS.) Each view has a history, a current page and page data. Page data for pages in the same domain is shared between views in a session; if two pages are in different domains or different sessions, they don't share data. Exiting the browser closes all open session(s), possibly saving part of the session(s) (e.g. histories, current pages, sessionStorage) so that a session manager can re-open them. Session cookies are cookies that are discarded when a session is closed; in other words, session cookies are non-persistant. Though a session cookie may hold a session ID, the two concepts are orthogonal(sense 4; session cookies can hold things other than session IDs, and session IDs can be stored in persistant cookies).

在客户端，“会话”再次过载并在各种上下文中使用（例如会话管理器，在浏览器打开时恢复打开的页面，会话 cookie 和sessionStorage）。我们可以通过说浏览器会话由一组视图及其相关数据组成来尝试将这些含义结合起来（这绝不是标准含义）。（我所说的“视图”大致是指选项卡式浏览器中的选项卡和非选项卡式浏览器中的窗口；DOMwindow对象向 JS 公开一个视图。）每个视图都有一个历史记录、当前页面和页面数据。同一域中页面的页面数据在会话中的视图之间共享；如果两个页面位于不同的域或不同的会话中，则它们不会共享数据。退出浏览器会关闭所有打开的会话，可能会保存部分会话（例如历史记录、当前页面、sessionStorage) 以便会话管理器可以重新打开它们。会话 cookie 是在会话关闭时丢弃的 cookie；换句话说，会话 cookie 是非持久性的。尽管会话 cookie 可以保存会话 ID，但这两个概念是正交的（意义 4；会话 cookie 可以保存会话 ID 以外的内容，会话 ID 可以存储在持久性 cookie 中）。

Whether two different views are in the same collection depends on the browser. For example, one browser may consider a session to consist of all tabs within a single window; separate windows are separate sessions. IE8lets users create new sessions via the "New session" menu item. Otherwise, new windows and tabs are opened in the same session. Privacy modes also create new sessions.

两个不同的视图是否在同一个集合中取决于浏览器。例如，一个浏览器可能认为一个会话由一个窗口中的所有选项卡组成；单独的窗口是单独的会话。IE8允许用户通过“新建会话”菜单项创建新会话。否则，将在同一会话中打开新窗口和选项卡。隐私模式还会创建新会话。

In summary, browser sessions are indeed set by the browser, though it provides users various means of controlling browser sessions: creating new sessions, changing the history and current page in a view by browsing, saving and restoring sessions. A user could even change session data by editing sessions saved on disk, though this isn't a feature afforded by the browser. None of this has anything to do with session hiHymaning. Server sessions are created and managed by the server, but users can (attempt to) switch server sessions by changing the session ID their browser passes back to the server, which is the basis for session hiHymaning.

总之，浏览器会话确实是由浏览器设置的，尽管它为用户提供了控制浏览器会话的各种方式：创建新会话、通过浏览、保存和恢复会话来更改视图中的历史记录和当前页面。用户甚至可以通过编辑保存在磁盘上的会话来更改会话数据，尽管这不是浏览器提供的功能。这些都与会话劫持无关。服务器会话由服务器创建和管理，但用户可以（尝试）通过更改浏览器传回服务器的会话 ID 来切换服务器会话，这是会话劫持的基础。

See also PHP Session Fixation / HiHymaning.

另请参阅PHP 会话固定/劫持。

A user can change his session at any time. It's just a random string stored in a cookie in the users browser, and therefore it is very simple for the user to change it.

用户可以随时更改他的会话。它只是存储在用户浏览器 cookie 中的随机字符串，因此用户更改它非常简单。

As the actual content of the session is stored on your server, you could for instance store the user's ip address, user agent or similar to make it harder to steal sessions from each other, by checking if this information still matches each time a new http request is made.

由于会话的实际内容存储在您的服务器上，因此您可以例如存储用户的 IP 地址、用户代理或类似内容，通过检查这些信息是否仍然匹配每次新的 http提出请求。

No actually user can not change the actual session value at your website but can change the session id that is used to track the session this session id is stored on client browser by your website usually name "PHPSESSID" in cookie which are also known as session cookie. When a session is started on a site it stores the unique id corresponding to that session in the respective client browser in form of cookie named as "PHPSESSID". So if user is able to get PHPSESSID of any other user and it can replace his PHPSESSID with the victims PHPSESSID and it will result in session hiHymaning. I am using PHP context here.

没有实际用户无法更改您网站上的实际会话值，但可以更改用于跟踪会话的会话 ID 此会话 ID 存储在客户端浏览器上，您的网站通常在 cookie 中命名为“PHPSESSID”，也称为会话曲奇饼。当在站点上启动会话时，它会在相应的客户端浏览器中以名为“PHPSESSID”的 cookie 形式存储与该会话对应的唯一 ID。因此，如果用户能够获得任何其他用户的 PHPSESSID，并且它可以用受害者的 PHPSESSID 替换他的 PHPSESSID，这将导致会话劫持。我在这里使用 PHP 上下文。