Session question...
Posted: Tue Apr 25, 2006 9:37 pm
When using authentication is it acceptable to store session state info in PHP sessions?
I am pretty sure I understand this, but just to be sure...
When you authenticate someone, it's not a good idea to store an "auth=true" variable inside client side cookies, cause they are easily spoofed...
What about doing the same for PHP sessions?
I can't see them being easily tinkered with from the outside world or being any worse or better than storing session data in A DB like follows:
magic_cookie, time_created, userid
If I store:
magic_cookie, time_created
In a PHP session, would this be accetpable for authentication...and by acceptable I mean, prevents *direct* tinkering from outside world like a cookie, not indirect, like hijacking some poorly written script.
However if you care to list possible security flaws with using sessions over DB storage I'm listening
I can see a database being a little more secure on shared hosts, etc...as you need to pass yet another layer of authentication to access data. Other than that though, how is is better or worse than database as far as security?
Cheers
I am pretty sure I understand this, but just to be sure...
When you authenticate someone, it's not a good idea to store an "auth=true" variable inside client side cookies, cause they are easily spoofed...
What about doing the same for PHP sessions?
I can't see them being easily tinkered with from the outside world or being any worse or better than storing session data in A DB like follows:
magic_cookie, time_created, userid
If I store:
magic_cookie, time_created
In a PHP session, would this be accetpable for authentication...and by acceptable I mean, prevents *direct* tinkering from outside world like a cookie, not indirect, like hijacking some poorly written script.
However if you care to list possible security flaws with using sessions over DB storage I'm listening
I can see a database being a little more secure on shared hosts, etc...as you need to pass yet another layer of authentication to access data. Other than that though, how is is better or worse than database as far as security?
Cheers