Hi.

I presume that the only session information to be passed as a token between the server and the client is the PHP session ID that is generated when start_session() is called upon the first client/server transaction of a session. Furthermore, I presume that the data stored in the $_SESSION superglobal is retained server-side, never being passed to the client (except, of course, if the programmer wishes to expicitly set HTML page data using the contents of $_SESSION). This would seem like the most obviously sensible thing to do for the sake of bandwidth!

Am I correct? ("Never assume anything, always ask!", or so the saying goes ...).

TIA,
Mike.

Correct on all accounts.
$_SESSION is stored within the server, defined by the session.save_path and session.save_handler (INI_ALL) directives. The only data transfered between the host and the client is the sessionID which is generated first as a cookie, and should the cookie not exist, an append to the URI. In order for an automatic URI appending to happen, you need to set your session.enable_trans_sid to on (default is off). You also need to consider security controls as well for your sessions, as any user can type a valid sessionID into their URI and they will be assigned the values of that session. There are many different routes for this, IPAddress, User agent, etc, but always rely on more than one, not just one. I'd recommend automatically regnerating the sessionID upon each script generation as well to help avoiding hijacks. Be careful with this though, as php4 and down will not automatically reset a cookie for you.
Hope thats informative and answers your question ok!

Thanks!