Sessions may but don't have to use database backend. The rest of your statements are generally fine (cookies, session_id).
Default session storage in PHP is a file in /tmp
folder - path can be checked by printing session.save_path
.
To summarize, sessions can utilize:
- File(s) on hard disk
- File(s) in memory e.g. in
/dev/shm
and its subfolders (/tmp can also reside in RAM) - Database - session tables may reside on disk or in memory
- Specialized memory backends
Response to your comment: You understand the process of sharing session data between browser and web server. But session storage used is important for you if you want to access session data manually (outside of PHP script).
If you store user_id
in $_SESSION
variable, then yes - you can use it to query database for user related information using it from within your PHP script in any subsequent request.