PHP

Moderators: None (Apply to moderate this forum)
Number of threads: 1848
Number of posts: 5016

PHP
Forum Info
This Forum Only
Post New Thread
Single Post View       Linear View       Threaded View      f

Report
PHP good practices question Posted by tvienti on 13 May 2004 at 9:01 PM
I have a question for you PHP gurus. In the past I've designed my code around not putting sensitive info in $_SESSION. I don't know where I picked up the habit and I don't know if there's any reason behind it.

My question is is it good practice to use $_SESSION to store sensitive information? For example, a $_SESSION['access_level'] variable that determines whether or not a user can access certain parts of the site? In the past my approach was to store something less sensitive like $_SESSION['username'] and then use SQL to determine access levels on the fly, but if I can avoid the extensive SELECT's by storing the info in memory, I'd like to.

Can somebody advise?

T
Reply   Share By Email Share By Email
Report
Re: PHP good practices question Posted by DarQ on 14 May 2004 at 5:15 AM

interesting question

i only store the userID in $_SESSION just like you store a username. using ID is a bit faster in SELECT that username.

but ok, the values inside $_SESSION can contain sensitive information. But a session can be hyjacked and there lies the problem, but this does not mean that a hacker can view the information. it's all about the design of your site which determines what a hacker can do with a hyjacked session.

i always link a session to an IP when a user logs on, this prevents hyjacking, but when a hacker spoofs your IP, this is useless.

a session is restored serverside when the client visits a page and sends its SESSION cookie with the HTTP request. this is where a session can be hyjacked in theory. in practice its a bit more complicated but it is doable.

anyway, you should NEVER store an user his/her password in readable form anywhere on your server. to do this, i hash (md5) the password with JScript when the client logs on/registers.


: I have a question for you PHP gurus. In the past I've designed my code around not putting sensitive info in $_SESSION. I don't know where I picked up the habit and I don't know if there's any reason behind it.
:
: My question is is it good practice to use $_SESSION to store sensitive information? For example, a $_SESSION['access_level'] variable that determines whether or not a user can access certain parts of the site? In the past my approach was to store something less sensitive like $_SESSION['username'] and then use SQL to determine access levels on the fly, but if I can avoid the extensive SELECT's by storing the info in memory, I'd like to.
:
: Can somebody advise?
:
: T
:

DarQ
http://mark.space.servehttp.com

Reply   Share By Email Share By Email



 

Recent Jobs

Home About PH Privacy Statement Hosted SubVersion Hosted Bugtracker Contact Us Advertise Here
Official Programmer's Heaven Blogs
Web Hosting | Browser and Social Games | Gadgets

Popular resources on Programmersheaven.com
Assembly | Basic | C | C# | C++ | Delphi | Flash | Java | JavaScript | Pascal | Perl | PHP | Python | Ruby | Visual Basic
© Copyright 2011 Programmersheaven.com - All rights reserved.
Reproduction in whole or in part, in any form or medium without express written permission is prohibited.
Violators of this policy may be subject to legal action. Please read our Terms Of Use and Privacy Statement for more information.
Operated by CommunityHeaven, a BootstrapLabs company.