Page 1 of 1

any reason why should not use $_SESSION

Posted: Thu Aug 24, 2006 1:24 am
by jmut
Hi,
is there any reason, whatsoever for not using and relying on sessions.
Of course we assume we put only validated data in sessions.


One reason I see is probably on shared hosting ....seeing others session files (this could be avoided by storing sessions in DB for example).

But generally speaking, dedicated server, is there security problems or any other reason why one would not choose sessions but other weird ways to propagate data between pages.

Posted: Thu Aug 24, 2006 1:32 am
by Christopher
I think if you take basic precautions to regenerate the session ID when the user changing privilege level then it should be reasonable secure.

Posted: Thu Aug 24, 2006 1:53 am
by jmut
arborint wrote:I think if you take basic precautions to regenerate the session ID when the user changing privilege level then it should be reasonable secure.
could you elaborate on this a little bit....maybe with little example and what problem might arise.

Posted: Thu Aug 24, 2006 4:57 am
by Jenk
search for session hijacking and session fixation, has been a few discussions on this subject lately :)

Posted: Thu Aug 24, 2006 2:38 pm
by pickle
The first potential problem I thought of is how sessions are stored. PHP stores a session ID in a temporary cookie on the client. It then uses that session id to re-access the session data on each page load. If your connection isn't secure, someone could intercept the setting of the cookie data & in turn access the session data.

The way to fix that is to make your connection https.