0

Whats the best way to store data between pages in PHP? I would have thought sessions work well, or even object sessions (https://stackoverflow.com/a/5515341/1445985) But lets say I was building a shopping cart, are PHP sessions really so easily hackable that it isnt advisable to store cart/basket data in them? Who cares anyway if someone did manage to get someone else's basket data, it wouldn't do any harm surely? Obviously credit card data etc is harmful but a list of different products in an order would not be a worry at all.

I have seen a shopping cart that I currently work with (I didnt make it) store every order into a table in a DB and then just query the table by Order ID to retrieve all the order information. Is this advisable?

I am constantly trying to find the best ways to do things in PHP and the problem is there never seems to be one trustworthy way to do anything. There is always someone saying that it's a bad idea.

Community
  • 1
  • 1
Chud37
  • 4,907
  • 13
  • 64
  • 116
  • 4
    "are PHP sessions really so easily hackable" — What makes you think that they are? – Quentin Mar 12 '13 at 14:46
  • @Quentin someone mentioned it in another stackoverflow question I was just reading but can't find now :S – Chud37 Mar 12 '13 at 14:47
  • 1
    Sessions don't persist beyond the current browser session, if you want a cart to persist between visits you need to use a db. – datasage Mar 12 '13 at 14:48
  • 1
    @datasage Stop spreading that FUD. Sessions can last forever if you set them up that way. That's not to say that's a great idea, just that sessions do ***not*** have to expire after "the current browser session". – deceze Mar 12 '13 at 14:51
  • The rule of thumb that I user is I never store secure data in sessions because like you said they can be hacked or stolen. So if you're just using them to store what items a user is clicking on I can't really see any harm to that. It's faster than querying the database. –  Mar 12 '13 at 14:51
  • PHP sessions are perfectly fine for storing this info. Just as long as you implement your session logic carefully. You could also use an other solutions like a cache engine (APC, Redis) for storage. But eventually it has to be saved somewhere. – tlenss Mar 12 '13 at 14:51
  • @deceze You should never assume it will, once you scale beyond a single server and need to store sessions outside of the default file session store, you may not get persistence you expect. – datasage Mar 12 '13 at 14:52
  • @datasage That's a totally different topic. – deceze Mar 12 '13 at 14:53
  • @deceze The other side of the issue, is that if you have enough traffic and store too much data in sessions, you will either run out of disk space or have too much I/O contention related to sessions. Its not a good design decisions to have sessions persist for a long time, even though you could. – datasage Mar 12 '13 at 14:57
  • @datasage That's a totally different topic! There's a lot to think about when it comes to sessions, yes, but it's simply not true that sessions are only ever valid during "the current browser session"! – deceze Mar 12 '13 at 15:06

3 Answers3

5

Here is some general information on making your PHP sessions secure:

PHP Session Security

That said. I've built some custom carts using a similar method to what you described. I store the order ID from the DB in a cookie. As the user advances through the checkout process, the shopping cart pages are built using the order information stored in different db tables.

I didn't necessarily do that for security though. Keeping the order stored in the database means I don't have to worry about the user's session expiring and them losing everything in their cart. If they close their browser and come back the next day, they can still continue shopping where they were previously. Storing their order in the database also makes it possible to tie their cart to a user ID, so they can log in from different machines and still preserve their shopping cart information.

Community
  • 1
  • 1
Arth Du
  • 807
  • 4
  • 6
2

While PHP sessions can be hijacked under certain conditions, they are generally considered to be secure and should be more than adequate for the situation you are describing. Using SSL (HTTPS) for the entire session is highly advisable.

Also, if at all possible, do not persist CC data in your application at all.

MrGlass
  • 9,094
  • 17
  • 64
  • 89
1

The problem isn't with PHP's sessions (unless your server is hacked in which case the attacker has direct access to all session data and other stuff), it's how you associate the session data with a particular user. You have a session ID which you must send to the client. Either in a cookie or as a GET parameter on all your inbound links.

This means that somebody can either intercept (man in the middle attack) that session ID and then use it himself (thus acting as the victim). Or he can somehow guess the session ID (which is unlikely).

So the only way to protect against that is to use https which will encrypt all requests between the server and the client and will prevent anyone from grabbing that information.

Jan Hančič
  • 53,269
  • 16
  • 95
  • 99