Session thingy

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
wpsd2006
Forum Commoner
Posts: 66
Joined: Wed Jan 07, 2009 12:43 am

Session thingy

Post by wpsd2006 »

hi maybe someone ever post this

just a simple question but i haven't got any satisfied answer

1. How secure is $_SESSION thingy
will someone able to hack it
like if i put a password or username in $_SESSION will someone be able to retreive it

2. Will large $_SESSION slow my webload
let said i got around 100 $_SESSION array... or more is there any limit ?
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Re: Session thingy

Post by daedalus__ »

i wouldn't put a password inside a session. i can't really see why you would need to. using google could probably answer your question fairly easily.

can i ask why you want an array with 100 keys in a session? there is probably a limit somewhere but i doubt youll find it. i imagine it could slow things down if you use it wrong but i am not certain. im pretty rusty.

have you consulted the php manual?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Session thingy

Post by kaisellgren »

The session data is always stored somewhere, may it be the filesystem or the database. You can affect the behaviour with session_set_save_handler(). If someone compromises your filesystem, it does not really matter if he has your session, because he has your entire filesystem under control.

There is no specific limit for session array size. Even if you can have one million rows in a session array, you would probably hit memory limit. Default memory limit is 16 MB. If you insert data of size of 16 MB into one array row you notice that won't be possible with memory limit of 16 MB. The memory limit can be changed with ini_set(), but then we have the physical memory limit.

Let's say we have an array of 1024 rows, the memory use for that array declarion is sizeof(int)*1024. The sizeof could be 32bits on some system, 64bits on some systems. The data you pass into an array will have the greatest meaning here.
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: Session thingy

Post by jaoudestudios »

I second daedalus, why would you want to store the password in a session?
aschlosberg
Forum Newbie
Posts: 24
Joined: Fri Jan 23, 2009 10:17 pm

Re: Session thingy

Post by aschlosberg »

Sessions can be hijacked which means that one person gains control of another person's session. While they won't necessarily be able to retrieve any login credentials that you store they will have all the "victim's" privelages. Here is a great article that explains the various methods:

http://shiflett.org/articles/session-hijacking
Post Reply