where does session save?
The session data that you read and write using $_SESSION
is stored on server side, usually in text files in a temporary directory. They can not be accessed from outside.
The thing connecting a session to a client browser is the session ID, which is usually stored in a cookie (see the comments for exceptions to that rule). This ID is, and should be, the only thing about your session that is stored on client side.
If you delete the cookie in the browser, the connection to that session is lost, even if the file on the server continues to exist for some time.
The session.save_path
variable influences the location on the server where the session data is stored. If you are not the server's administrator, it is usually not necessary to change it.
It's both! A session saves the actual session information on the server, but gives an identification cookie to the client to know which session belongs to which client. The information in the cookie itself is worthless, but allows the server to identify the client and use the actual session information.