[eluser]kurucu[/eluser]
Don't worry about the English - I'm working in France and am just learning French so I have sympathy!
The session works like this:
A user requests a page
The session library checks to see if that user has visited before (by looking for a unique identifier in their cookies, amongst other things)
-If it does not exist, a new ID is created (and in the case of DB storage, a row is inserted into the database).
-If it does exist then data is taken from either the cookie or the database row with the same ID
When you add information to the session, it is added to the database row for that user ID or to the cookie.
------------------
So data is passed between requests either back and forth in the cookie (max 4kb) or is kept in a database table, and matched to an identifier that is passed back and forth in the cookie.
The end result is data that persists between related visits - a session.
For security and functionality some other things often happen:
- The user agent is compared (so if a different browser is used then the session is considered unique - i.e. they are considered to be someone else)
- The IP address can be compared (with the same effect as above)
- If the cookie expires, then we can no longer identify which user the session belonged to (and in the case of cookie storage, have lost everything stored in the session)
- A time limit is also set on how long we will wait between requests to pull data out of the database.
These last two points work together to be the Session Timeout - the amount of time between visits that has to pass for us to drop the session and forget the user. They will appear logged out.
I should write a wiki entry.