2

For logging purposes I have to store the client PHPSESSID onto database.

Assuming that the session are expired, are there any bad practises linked to this? Can someone predict a PHPSESSID by reading the list?

Grateful to hear any situation where this can lead to a security problem.

Dharman
  • 30,962
  • 25
  • 85
  • 135
Domenico D'Attoma
  • 39
  • 4
  • 1
    _“For loggin purposes I have to store the client PHPSESSID onto database.”_ - why do you “have to”? _Explain_ stuff like this properly, instead of pretending it was an absolute unchangeable given. – 04FS Sep 30 '19 at 13:45
  • 1
    Possible duplicate of [What is the correct and safe/secure way to keep a user logged in? cookies? session? PHP && MYSQL](https://stackoverflow.com/questions/10566988/what-is-the-correct-and-safe-secure-way-to-keep-a-user-logged-in-cookies-sessi) – Masivuye Cokile Sep 30 '19 at 13:59

1 Answers1

0

People can set PHPSESSID's as they are stored locally meaning it is not safe to use in any form of security measure.

Please see this:
What is the correct and safe/secure way to keep a user logged in? cookies? session? PHP && MYSQL

Thrallix
  • 699
  • 5
  • 20
  • The purpose is not to keep a user logged in. I just want to know if there is any possibile problem coming from knowing the past session_id of the users. – Domenico D'Attoma Oct 04 '19 at 10:13