regular sessions vs. database sessions

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
mottwsc
Forum Commoner
Posts: 55
Joined: Sun Dec 23, 2007 8:01 pm

regular sessions vs. database sessions

Post by mottwsc »

Are database sessions safer than regular sessions?
Do they prevent the types of security problems that regular sessions have?
Do you know of a good tutorial on implementing database sessions?

Thanks for your guidance.
User avatar
tr0gd0rr
Forum Contributor
Posts: 305
Joined: Thu May 11, 2006 8:58 pm
Location: Utah, USA

Re: regular sessions vs. database sessions

Post by tr0gd0rr »

I don't think DB-based session storage is inherently more secure than file-based session storage.

The main advantage of a database session system is that it simplifies implementation in a clustered server environment. If you have two servers in a cluster, then you can set the load balancer to have an affinity to one server per session or have the files stored on some shared network drive. Or you can simply use a database and not depend on network configuration.

If you are concerned about security, you can write a custom session handler that encrypts and decrypts the session data after serialization and before un-serialization respectively. Whether file based or db based, you can encrypt the data.

This devshed article explains the situation and goes step by step through the code. It looks pretty good.
ct_lee
Forum Newbie
Posts: 12
Joined: Wed Aug 05, 2009 3:15 pm

Re: regular sessions vs. database sessions

Post by ct_lee »

Just thought i would add that if you have shared hosting for your website then it can make it safer to store them in your database as other users on the same server as you will often have there standard sessions saved to the same /tmp directory of the server and people can write scripts to download them all including yours.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: regular sessions vs. database sessions

Post by kaisellgren »

ct_lee wrote:Just thought i would add that if you have shared hosting for your website then it can make it safer to store them in your database as other users on the same server as you will often have there standard sessions saved to the same /tmp directory of the server and people can write scripts to download them all including yours.
True. The session extension by default keeps files in a directory that is accessible to everyone on the same server which is terrible in a shared hosting environment. All you need to do is to have the files under your home directory.
Post Reply