Page 1 of 1
Session thingy
Posted: Mon Jan 12, 2009 12:26 am
by wpsd2006
hi maybe someone ever post this
just a simple question but i haven't got any satisfied answer
1. How secure is $_SESSION thingy
will someone able to hack it
like if i put a password or username in $_SESSION will someone be able to retreive it
2. Will large $_SESSION slow my webload
let said i got around 100 $_SESSION array... or more is there any limit ?
Re: Session thingy
Posted: Mon Jan 12, 2009 1:30 am
by daedalus__
i wouldn't put a password inside a session. i can't really see why you would need to. using google could probably answer your question fairly easily.
can i ask why you want an array with 100 keys in a session? there is probably a limit somewhere but i doubt youll find it. i imagine it could slow things down if you use it wrong but i am not certain. im pretty rusty.
have you consulted the php manual?
Re: Session thingy
Posted: Mon Jan 12, 2009 7:20 am
by kaisellgren
The session data is always stored somewhere, may it be the filesystem or the database. You can affect the behaviour with session_set_save_handler(). If someone compromises your filesystem, it does not really matter if he has your session, because he has your entire filesystem under control.
There is no specific limit for session array size. Even if you can have one million rows in a session array, you would probably hit memory limit. Default memory limit is 16 MB. If you insert data of size of 16 MB into one array row you notice that won't be possible with memory limit of 16 MB. The memory limit can be changed with ini_set(), but then we have the physical memory limit.
Let's say we have an array of 1024 rows, the memory use for that array declarion is sizeof(int)*1024. The sizeof could be 32bits on some system, 64bits on some systems. The data you pass into an array will have the greatest meaning here.
Re: Session thingy
Posted: Mon Jan 12, 2009 9:41 am
by jaoudestudios
I second daedalus, why would you want to store the password in a session?
Re: Session thingy
Posted: Fri Jan 23, 2009 10:45 pm
by aschlosberg
Sessions can be hijacked which means that one person gains control of another person's session. While they won't necessarily be able to retrieve any login credentials that you store they will have all the "victim's" privelages. Here is a great article that explains the various methods:
http://shiflett.org/articles/session-hijacking