0

Preparing just a simple page with the ability to log on. One of the features is to be able to change user data given at registration. My code works as follows.

Logging in:

if(passwordIsCorrect()){

//log in
$_SESSION['user'] = $email;

}

So I write an email or user id to a session variable. When the user completes the form and clicks the submit I write changes to the database searching the appropriate row in the table 'users' using the 

$ _SESSION ['user'];

Is this a safe way? Could it be improved in some way?

user3364397
  • 27
  • 5
  • Yes you will be safe enough. though you might be able to improve your security in different aspects. For example hashing passwords: http://www.sitepoint.com/password-hashing-in-php/ – Joel Harkes Oct 28 '14 at 12:25
  • I don't see any security threats... basically you're just updating a session variable, this has nothing to do with user data or so... – Laurent S. Oct 28 '14 at 12:26
  • I did not think the encryption password in php that simple. I'm still learning. Thanks guys. – user3364397 Oct 28 '14 at 12:33

2 Answers2

0

Yes it is safe, although you could keep the user Id, since the email can be changed.

I think your question is related to this one: php storing user id in session?

Community
  • 1
  • 1
Joanvo
  • 5,677
  • 2
  • 25
  • 35
0

That's fine, assuming your email is sanitized or pulled from your Database.

The $_SESSION array is stored on the server, not on the client's machine: think of it as a temporary array on the server linked to the user's browser session.

The email isn't passed back and forth with each request, only the session ID.

Instead of the email, I'd use the userID - not for security, just for convenience. The user may change their profile to modify their email, and your userID is likely to be an index on your database so will be slightly faster - it would only be a small performance increase, but since you're doing it on every request it will add up.

Jon Story
  • 2,881
  • 2
  • 25
  • 41