Are database sessions safer than regular sessions?
Do they prevent the types of security problems that regular sessions have?
Do you know of a good tutorial on implementing database sessions?
Thanks for your guidance.
regular sessions vs. database sessions
Moderator: General Moderators
Re: regular sessions vs. database sessions
I don't think DB-based session storage is inherently more secure than file-based session storage.
The main advantage of a database session system is that it simplifies implementation in a clustered server environment. If you have two servers in a cluster, then you can set the load balancer to have an affinity to one server per session or have the files stored on some shared network drive. Or you can simply use a database and not depend on network configuration.
If you are concerned about security, you can write a custom session handler that encrypts and decrypts the session data after serialization and before un-serialization respectively. Whether file based or db based, you can encrypt the data.
This devshed article explains the situation and goes step by step through the code. It looks pretty good.
The main advantage of a database session system is that it simplifies implementation in a clustered server environment. If you have two servers in a cluster, then you can set the load balancer to have an affinity to one server per session or have the files stored on some shared network drive. Or you can simply use a database and not depend on network configuration.
If you are concerned about security, you can write a custom session handler that encrypts and decrypts the session data after serialization and before un-serialization respectively. Whether file based or db based, you can encrypt the data.
This devshed article explains the situation and goes step by step through the code. It looks pretty good.
Re: regular sessions vs. database sessions
Just thought i would add that if you have shared hosting for your website then it can make it safer to store them in your database as other users on the same server as you will often have there standard sessions saved to the same /tmp directory of the server and people can write scripts to download them all including yours.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: regular sessions vs. database sessions
True. The session extension by default keeps files in a directory that is accessible to everyone on the same server which is terrible in a shared hosting environment. All you need to do is to have the files under your home directory.ct_lee wrote:Just thought i would add that if you have shared hosting for your website then it can make it safer to store them in your database as other users on the same server as you will often have there standard sessions saved to the same /tmp directory of the server and people can write scripts to download them all including yours.