0

My project is using PHP's $_SESSION to identify users.

What I would like to know is if session variables are secure and if it is safe to store user data in them.

For example: Lets say I wanted to add Jim's username to a file, is it safe to put his id in a session variable upon login and base my queries to retrieve his user data on that id.

Please note that I want to keep everything very secure.

Peter
  • 8,776
  • 6
  • 62
  • 95
Eugene Stamp
  • 158
  • 1
  • 11
  • Its better to use session, than cookies, duplicate: http://stackoverflow.com/questions/1181105/how-safe-are-php-session-variables – Daimos Jul 20 '15 at 12:00
  • 1
    As session is only available on the server its fairly safe, assuming your server is safe. – RiggsFolly Jul 20 '15 at 12:01
  • @RiggsFolly My initial thought was that it's safe, however would encrypting this session variable help? – Eugene Stamp Jul 20 '15 at 12:04
  • It is safe if your server is safe... it makes file in a folder (/etc/var/php if I remember well). If for any reason/security issue, someone is able to write in this folder, it is no longer safe... – Random Jul 20 '15 at 12:06
  • Again, if the server is compromised then they can also work out your encryption mechanism/keys etc, so it probably would only add complexity rather than security – RiggsFolly Jul 20 '15 at 12:09
  • I am currently using web hosting. – Eugene Stamp Jul 20 '15 at 12:09
  • When you use session only the session id is passed back and forth the server and client. So all the variables are stored on server. I don't think there's a need to encrypt the variables. Why not use SSL ? – frz3993 Jul 20 '15 at 12:10
  • Ditto, if the host is safe you are safe, if the host is compromised you are not even if you encrypt – RiggsFolly Jul 20 '15 at 12:10
  • So would the following statement be correct?: Sessions cannot be stored safely, only in a file on the server. – Eugene Stamp Jul 20 '15 at 12:12
  • - I may add, safely, yes; However not 100% safe. – Eugene Stamp Jul 20 '15 at 12:16
  • Cannot understand what you mean through your statement... :) – Random Jul 20 '15 at 13:06
  • The whole premise of your question lies on the definition of **very secure** (term coined by you). So, what do you deem *very secure*? What does that entail? There are many ways of handling sessions, from a file on the server (default) to a network service (memcached, redis) to the encrypted cookie (session data is sent to the user's browser, but it's encrypted using a key stored on your server). What kind of *very secure* are you looking for? – N.B. Jul 20 '15 at 14:01

1 Answers1

0

Yes, session are pretty safe, from a client point of view.

Only a session-id is sent and stored on the user's browser, and it is too hard to guess and to take another's session id.

The actual session data is stored in your server files, so saving data in a session is as safe as writing them in a file or in a database.

blue112
  • 52,634
  • 3
  • 45
  • 54