What should i store in session php?
|
I know about all the issues with session fixation and hijacking. My question is really basic: I want to create an authentication system with PHP. For that, after the login, I would just store the user id in the session. Show But: I've seen some people do weird things like generating a GUID for each user and session and storing that instead of just the user id in the session. Why? The content of a session cannot be obtained by a client - or can it?
Sam 7,15515 gold badges45 silver badges65 bronze badges asked Apr 26, 2010 at 19:43
You're correct. The client just sees a randomly generated session id token. There are ways this token can be misused (hijacked, etc.), but having a GUID on top adds nothing. In contrast, options like session.cookie_httponly (JavaScript can't see session cookie) session.cookie_secure (Cookie can only be transmitted over HTTPS) protect against certain attack scenarios. answered Apr 26, 2010 at 19:48
Matthew FlaschenMatthew Flaschen 271k50 gold badges510 silver badges537 bronze badges The short answer is that $_SESSION is safe and you do not need to worry about its contents being leaked to a user or attacker. The content of the session is not normally be accessible to the user. You should be able to store the user's primary key and you'll be fine. There are cases where the session can be leaked, on a normal linux system the session folder is in /tmp, however this could be changed in your php.ini to the web root (/var/www/tmp) and then could be accessible. The only other way is if the user is able to get access to the $_SESSION super global by hijacking a call to eval() or by the variable being printed normally. If you are running on a shared host and using an old version of PHP and/or your server is misconfigured it might be possible for another user on this system to read or even modify a session file stored in /tmp/. I don't know of a single application that takes this attack into consideration. If this is a problem you can store the information in a answered Apr 26, 2010 at 20:32
rookrook 65.2k37 gold badges157 silver badges237 bronze badges Sometimes, for added security, developers may assign a long string to the user's session in order to make hijacking even more difficult. By setting a cookie with this new string at the time of session creation, the app can check for the correct string on subsequent requests to better ensure it is the person who actually logged in. It's just adding one more thing a wannabe hijacker would have to guess. However, it can be a false sense of security as it does little to protect the session if sniffing is involved because the new cookie is sent right along with the php session cookie. Also, session id's are very hard to guess as it is (as I'm sure you know, just don't place it in the url but, rather, in the cookie). Session info is stored on the harddrive so it's not obtainable by clients without application intervention. answered Apr 26, 2010 at 19:54
webbiedavewebbiedave 47.7k8 gold badges87 silver badges100 bronze badges 4 I've never seen GUIDs being used for sessions, but there are a couple of additional methods I have seen that do add a little more security.
There's a great article on session hijacking countermeasures on Wikipedia, actually. That being said, I would imagine that anyone storing a GUID as part of a session to use in session security might be failing to see a better solution (such as session regeneration). I can see other uses for a GUID to be stored (maybe it's part of a random generator for a game), but not for use with session security.
answered Apr 26, 2010 at 20:01
zombatzombat 91k24 gold badges155 silver badges164 bronze badges 8 What should be stored in session PHP?A session is a way to store information (in variables) to be used across multiple pages. Unlike a cookie, the information is not stored on the users computer.
What do we store in session?Session storage is a popular choice when it comes to storing data on a browser. It enables developers to save and retrieve different values. Unlike local storage, session storage only keeps data for a particular session. The data is cleared once the user closes the browser window.
What data is stored in session?Cookies are client-side files that are stored on a local computer and contain user information. Sessions are server-side files that store user information. Cookies expire after the user specified lifetime. The session ends when the user closes the browser or logs out of the program.
What do you store in session cookies?This cookie stores information such as the user's input and tracks the movements of the user within the website. There is no other information stored in the session cookie. Session cookies are set on a device's temporary memory when a browser session starts.
|
