Is it sufficient and safe enough to pass around the owner of a session using a single session variable?
In my website, I authenticate the user is who they are, and start the session for them by assigning their username to a session variable.
I then use this single session variable from page to page to access their data.
Is this sufficient or do I have to salt and hash their password and pass that around too?
Question re: session
Moderator: General Moderators
there really isnt a yes/no answer to this
it depends how you use the username.
also be aware, if your on shared hosting, they could likely "inject" thier own session file into the directory where php saves session data and thus create thier own session and set session variables to whatever they like.
if you have prepared for that, then yeah its prob safe enough.
it depends how you use the username.
also be aware, if your on shared hosting, they could likely "inject" thier own session file into the directory where php saves session data and thus create thier own session and set session variables to whatever they like.
if you have prepared for that, then yeah its prob safe enough.
no, its not encrypted at all.
however, you COULD encrypt the data in your session files by defining your own session_handler
lets say the current sid is fdsfy78sdayf87sad7fy777
php will look for a file in the session.save_path (default path is /tmp but you can change this)
php will look for a file named
sess_fdsfy78sdayf87sad7fy777
if it finds that file, it will load it and use the session data inside of it
now if i have an account on the same shared server, i can just write my own file into the /tmp directory
i create my own session id, lets say sess_evilssid4432jn4kn3
so now i goto your website, and use that sid and php will load the file i created and use that data.
the thing is, its really tough to try and fight this. they can most likely read files on
your server and if your encrypting it, find your encryption key in one of your php files
and use it etc... alot of the time they dont even need to try and get in using sessions,
they can just snatch your files eg file_get_contetns('usr/www/users/voltrader.com/html_docs/index.php';
this is really a shared hosting problem. not all shared hosting has this problem.
some have more, some less. this is just 1 quick possibility but theres many others.
if you really need security, you simply just need to do some google
searches on shared hosting security, php session security etc... and learn about it
theres php's safemode and open_basedir and although they work good, they still do not stop someone from
just bypassing php and using cgi...
but hopefully you dont need to worry about all this stuff
your requirements for security may not be that important.
however, you COULD encrypt the data in your session files by defining your own session_handler
lets say the current sid is fdsfy78sdayf87sad7fy777
php will look for a file in the session.save_path (default path is /tmp but you can change this)
php will look for a file named
sess_fdsfy78sdayf87sad7fy777
if it finds that file, it will load it and use the session data inside of it
now if i have an account on the same shared server, i can just write my own file into the /tmp directory
i create my own session id, lets say sess_evilssid4432jn4kn3
so now i goto your website, and use that sid and php will load the file i created and use that data.
the thing is, its really tough to try and fight this. they can most likely read files on
your server and if your encrypting it, find your encryption key in one of your php files
and use it etc... alot of the time they dont even need to try and get in using sessions,
they can just snatch your files eg file_get_contetns('usr/www/users/voltrader.com/html_docs/index.php';
this is really a shared hosting problem. not all shared hosting has this problem.
some have more, some less. this is just 1 quick possibility but theres many others.
if you really need security, you simply just need to do some google
searches on shared hosting security, php session security etc... and learn about it
theres php's safemode and open_basedir and although they work good, they still do not stop someone from
just bypassing php and using cgi...
but hopefully you dont need to worry about all this stuff
your requirements for security may not be that important.