0

I have built multiple sites already using PHP that allow users to log in and keeps their user id and username in session variables. I keep learning more about security and I want to check up on what the safest way is to store user information.

I am currently working on a user account page which allows users to view and edit their profile information. Currently the site does a simple MySQL query that pulls the users information from the database based on what the id stored in the session is.

Example:

$getUserInfoSQL = $connection->prepare("SELECT * FROM Accounts WHERE id = ?");
$getUserInfoSQL->bind_param("s",$userid);
$getUserInfoSQL->execute();

I just want to make sure its not reckless to provide user information just based on the session variable userid.

Wesley Brian Lachenal
  • 4,381
  • 9
  • 48
  • 81
user3796624
  • 1
  • 1

2 Answers2

1

You can easily use a session to store userdata, as the session contents are stored on YOUR server. However, storing userdata in a session can cause some problems:

  • If you e.g. ban a user, the session would still be active, and the user could browse your site, even though it is not in the database
  • If a user is logged in on two machines (e.g. a computer and smartphone), and changes userdata on one device, you'd have to update the session on the device they're changing the userdata from, but then the other session contains outdated info.
  • Server restarts can wipe session data
Trolley
  • 2,328
  • 2
  • 23
  • 28
0

Using session variables should be safe enough. The session data in kept on the server and the only thing stored locally on the user's end is the session ID.

PHP stores the session data in a file on the server, but you can store it in the database as well. It's a bit faster and should be safer as well. — Check out the answer by RobertPitt at https://stackoverflow.com/a/2950504/859999 to find out how to store session data in the database.

Community
  • 1
  • 1
aldavigdis
  • 635
  • 6
  • 17