are anonymous sessions secure?

Question

I'm new in web design. My concern is if I trace anonymous users by session to keep correct language, and etc., then I would save data for each user who visit my website(for example 2 KB). then wouldn't it make my website vulnerable against attacking users to overflow memory of session storage by creating false sessions?

thanks

http://stackoverflow.com/questions/454635/where-are-session-variables-stored — user20232359723568423357842364, Jun 12 '13 at 20:19
i really don't think you have to worry about this. i have never had an attack against any site i have run in the last 10 years. — , Jun 12 '13 at 20:26
In all honestly 'slightly' more vulnerable than the usual DOS attack. — MickJ, Jun 12 '13 at 20:35
not all DOS attacks would trigger a session creation, depends on the type — , Jun 12 '13 at 20:43
I take back my comment. You are right. In fact most DOS attacks would not. — MickJ, Jun 12 '13 at 20:48
my conclusion is it is not worth worrying about. 1. its very unlikely to happen. 2. sessions wont make it worse if it does — , Jun 12 '13 at 21:04

score 4 · Accepted Answer · answered Jun 12 '13 at 20:22

4

Why not use local storage, cookies or some other solution instead of sessions? I am not saying that thats the best solution but cookies might be better solution for just keeping preferences. They "could" be longer lasting than session and less intensive on server side.

answered Jun 12 '13 at 20:22

MickJ

2,127
3
20
34

1

in most set ups you would still get a session for every cookie, for the propagation of the id. – Jun 12 '13 at 20:24
Correct but not 'every cookie' but every client session. But at least you would not be putting anything else on that session, keeping all the info on the client side cookie. Also by not using session cookies you might keep the information around longer. Disclaimer: I am not a huge cookie abuse fan. Just saying. – MickJ Jun 12 '13 at 20:26

score 1 · Answer 2 · answered Jun 12 '13 at 20:23

1

PHP saves sessions to disk by default; it's only in memory while the program is actually running, so it would only be a memory issue if you had a lot of visitors simultaneously -- ie running your PHP code at exactly the same time on the same server.

But the amount of memory used by your session array is small compared with the memory used overall by your whole PHP process, so if you had sufficient simultaneous visitors for that to cause a problem, then it's unlikely that having a session for each of them would make much of a difference.

The real way to mitigate against this kind of thing is to make your programs run fast, so that they exit quickly, and thus there is less chance of having large numbers of copies of it running simultaneously.

answered Jun 12 '13 at 20:23

Spudley

166,037
39
233
307

is this kind of attacks serious for expert programmers(does it have any name to search?), or I should skip thinking about that at all. – gerrnar Jun 12 '13 at 20:28
Well, a large number of visitors at once would either be because your site is really popular (in which case you need to increase your server resources to cope) or it's a DoS ('Denial of service') attack, in which case you need to have a good sys admin available to pick up the pieces (programming doesn't come into it really, beyond making your code perform as fast and lean as possible so it can cope better and writing defensive code so that fatal errors like 'out of memory' in the middle of your program don't break things, but you should do that anyway). – Spudley Jun 12 '13 at 20:33

are anonymous sessions secure?

2 Answers2