Page 1 of 1

Some questions about Sessions / Cookies

Posted: Sun Jul 10, 2011 12:32 pm
by brownca
Hi, I'm still a beginner with PHP but just have a few questions on sessions and cookies which I hope someone can help out with.

As I understand it, a random session id is stored locally as a cookie (PHPSESSID), which links up to the user's session data stored on the server.

I am designing a website which currently stores a user's unique ID in a session variable. Other user data is generated on each page from this user ID. Am I right in thinking that this is secure, since the sensitive data (the user ID) is being stored on the server, and the ony way someone else could access it is by cloning the PHPSESSID cookie?

Is it likely/possible that two identical PHP session IDs could be created, and if so is it possible to manually set the session ID (so that I can ensure its uniqueness)?

I wish to implement a 'Remember Me' feature. I know I need to set a cookie, but what should it contain? If it contained the username, that would surely be insecure since someone could just create a cookie with a known username to log in as that person. Should I be setting the PHP session ID cookie to expire in a year instead?

Thanks in advance.

Re: Some questions about Sessions / Cookies

Posted: Sun Jul 10, 2011 2:33 pm
by social_experiment
brownca wrote:Am I right in thinking that this is secure, since the sensitive data (the user ID) is being stored on the server, and the ony way someone else could access it is by cloning the PHPSESSID cookie?
If you are using shared hosting your sessions could be accessed by other users.
The Manual wrote:The session module cannot guarantee that the information you store in a session is only viewed by the user who created the session. You need to take additional measures to actively protect the integrity of the session, depending on the value associated with it.
brownca wrote:Is it likely/possible that two identical PHP session IDs could be created, and if so is it possible to manually set the session ID (so that I can ensure its uniqueness)?
Its possible but you shouldn't really on this value only for 'uniqueness'.

f=34&t=130286
Read this topic for more information on sessions