Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Categories

Welcome to the new platform of Programmer's Heaven! We apologize for the inconvenience caused, if you visited us from a broken link of the previous version. The main reason to move to a new platform is to provide more effective and collaborative experience to you all. Please feel free to experience the new platform and use its exciting features. Contact us for any issue that you need to get clarified. We are more than happy to help you.

PHP good practices question

tvientitvienti Posts: 230Member
I have a question for you PHP gurus. In the past I've designed my code around not putting sensitive info in $_SESSION. I don't know where I picked up the habit and I don't know if there's any reason behind it.

My question is is it good practice to use $_SESSION to store sensitive information? For example, a $_SESSION['access_level'] variable that determines whether or not a user can access certain parts of the site? In the past my approach was to store something less sensitive like $_SESSION['username'] and then use SQL to determine access levels on the fly, but if I can avoid the extensive SELECT's by storing the info in memory, I'd like to.

Can somebody advise?

[red][b]T[/b][/red]

Comments

  • DarQDarQ Posts: 1,625Member
    [red]
    interesting question :-)

    i only store the userID in $_SESSION just like you store a username. using ID is a bit faster in SELECT that username.

    but ok, the values inside $_SESSION can contain sensitive information. But a session can be hyjacked and there lies the problem, but this does not mean that a hacker can view the information. it's all about the design of your site which determines what a hacker can do with a hyjacked session.

    i always link a session to an IP when a user logs on, this prevents hyjacking, but when a hacker spoofs your IP, this is useless.

    a session is restored serverside when the client visits a page and sends its SESSION cookie with the HTTP request. this is where a session can be hyjacked in theory. in practice its a bit more complicated but it is doable.

    anyway, you should NEVER store an user his/her password in readable form anywhere on your server. to do this, i hash (md5) the password with JScript when the client logs on/registers.
    [/red]

    : I have a question for you PHP gurus. In the past I've designed my code around not putting sensitive info in $_SESSION. I don't know where I picked up the habit and I don't know if there's any reason behind it.
    :
    : My question is is it good practice to use $_SESSION to store sensitive information? For example, a $_SESSION['access_level'] variable that determines whether or not a user can access certain parts of the site? In the past my approach was to store something less sensitive like $_SESSION['username'] and then use SQL to determine access levels on the fly, but if I can avoid the extensive SELECT's by storing the info in memory, I'd like to.
    :
    : Can somebody advise?
    :
    : [red][b]T[/b][/red]
    :

    [size=5][italic][blue]Dar[RED]Q[/RED][/blue][/italic][/size]
    http://mark.space.servehttp.com

Sign In or Register to comment.