any reason why should not use $_SESSION

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

any reason why should not use $_SESSION

Post by jmut »

Hi,
is there any reason, whatsoever for not using and relying on sessions.
Of course we assume we put only validated data in sessions.


One reason I see is probably on shared hosting ....seeing others session files (this could be avoided by storing sessions in DB for example).

But generally speaking, dedicated server, is there security problems or any other reason why one would not choose sessions but other weird ways to propagate data between pages.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

I think if you take basic precautions to regenerate the session ID when the user changing privilege level then it should be reasonable secure.
(#10850)
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Post by jmut »

arborint wrote:I think if you take basic precautions to regenerate the session ID when the user changing privilege level then it should be reasonable secure.
could you elaborate on this a little bit....maybe with little example and what problem might arise.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

search for session hijacking and session fixation, has been a few discussions on this subject lately :)
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

The first potential problem I thought of is how sessions are stored. PHP stores a session ID in a temporary cookie on the client. It then uses that session id to re-access the session data on each page load. If your connection isn't secure, someone could intercept the setting of the cookie data & in turn access the session data.

The way to fix that is to make your connection https.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
Post Reply