Dealing with php sessions

Forum Moderators: coopster

Message Too Old, No Replies

Dealing with php sessions

$_SESSION[userdata] php

yisroel6

8:13 pm on Aug 12, 2010 (gmt 0)

What are the upperhands with using

$_SESSION

to hold user login data rather than using user defined variables? Additionally, how secure is the

$_SESSION

variable, Is it safe to hold an un-encrypted password or other insecure data in it?

Matthew1980

8:51 pm on Aug 12, 2010 (gmt 0)

Hi there yisroel6,

Welcome to WebmasterWorld Check this first => :[webmasterworld.com ]

WRT $_SESSIONS : So long as you have session_start(); declared before you try to access the data stored in the $_SESSION, this is a pretty good way of storing information over sets of pages, though you can still do this using a database, but $_SESSION is the easier option to manage.

But saying that, it does depend on the context of the project that you have in mind, could you be a little more specific in what you are trying to do?

And, password/sensitive information shouldn't be passed un-encrypted at any time or for any reason, if you do, then this is highly dangerous, as potentially you could be letting your self open to abuse.

$_SESSION by default is only active once activated for around 25 mins, though this can be manipulated via the ini file, and $_SESSION is actually a cookie (check your cookie log, its called PHPSESSID) and should be treated as such.

I'm not sure whether there is any CPU/memory benefit between using $_SESSION or user defined vars, I have never looked into that ;)

And just reading your opening sentence again, login info should be hashed if you only use a $_SESSION, but not recommend, if you have access to a DB, use that... or if you haven't got a DB, you can use flat text file and store it outside the root of your domain, there is usually a folder called Private_html, you would just need to access it from absolute filepath, rather than URl - I hope that makes sense ;)

Cheers,
MRb

yisroel6

7:51 am on Aug 13, 2010 (gmt 0)

First of all, yes I'm using mysql to store user data and yes all user passwords are encrypted.
My question earlier is simply asking if php session uses encryption. Thanks for your response!
If there is another alternative in storing encrypted data in sessions or what not, I'd love to know!

enigma1

9:27 am on Aug 13, 2010 (gmt 0)

I'm not sure whether there is any CPU/memory benefit between using $_SESSION

There isn't. You can use a custom array instead of the $_SESSION super array and keep track of the visitor. In which case you don't need to worry about session_start and when to call it or compatibility issues, or when and how the session cookie is sent, or session id format, or if the session is stored because of the safe mode etc.

If there is another alternative in storing encrypted data in sessions

md5 with salt should be good enough. Basically you sent out an identifier that represents the session. You can encrypt specific data in a secure way.

No by default PHP doesn't use any encryption because it doesn't do or know anything about your variables until you tell it what to store basically.

$_SESSION['user'] = 'joe';

Theoretically it will store the session information where you have the path setup to or if you have callback handlers it calls you and you can store the data in the db. Lots of complexity.