PHP good practices question - Programmers Heaven

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Categories

PHP good practices question

tvientitvienti Posts: 230Member
I have a question for you PHP gurus. In the past I've designed my code around not putting sensitive info in $_SESSION. I don't know where I picked up the habit and I don't know if there's any reason behind it.

My question is is it good practice to use $_SESSION to store sensitive information? For example, a $_SESSION['access_level'] variable that determines whether or not a user can access certain parts of the site? In the past my approach was to store something less sensitive like $_SESSION['username'] and then use SQL to determine access levels on the fly, but if I can avoid the extensive SELECT's by storing the info in memory, I'd like to.

Can somebody advise?

[red][b]T[/b][/red]

Comments

  • DarQDarQ Posts: 1,625Member
    [red]
    interesting question :-)

    i only store the userID in $_SESSION just like you store a username. using ID is a bit faster in SELECT that username.

    but ok, the values inside $_SESSION can contain sensitive information. But a session can be hyjacked and there lies the problem, but this does not mean that a hacker can view the information. it's all about the design of your site which determines what a hacker can do with a hyjacked session.

    i always link a session to an IP when a user logs on, this prevents hyjacking, but when a hacker spoofs your IP, this is useless.

    a session is restored serverside when the client visits a page and sends its SESSION cookie with the HTTP request. this is where a session can be hyjacked in theory. in practice its a bit more complicated but it is doable.

    anyway, you should NEVER store an user his/her password in readable form anywhere on your server. to do this, i hash (md5) the password with JScript when the client logs on/registers.
    [/red]

    : I have a question for you PHP gurus. In the past I've designed my code around not putting sensitive info in $_SESSION. I don't know where I picked up the habit and I don't know if there's any reason behind it.
    :
    : My question is is it good practice to use $_SESSION to store sensitive information? For example, a $_SESSION['access_level'] variable that determines whether or not a user can access certain parts of the site? In the past my approach was to store something less sensitive like $_SESSION['username'] and then use SQL to determine access levels on the fly, but if I can avoid the extensive SELECT's by storing the info in memory, I'd like to.
    :
    : Can somebody advise?
    :
    : [red][b]T[/b][/red]
    :

    [size=5][italic][blue]Dar[RED]Q[/RED][/blue][/italic][/size]
    http://mark.space.servehttp.com

Sign In or Register to comment.