PHP SESSION Security question

Question

Is it safe for me to use in live website?

member.php

if($_SESSION['login'] == 1)
//member stuff

$_SESSION['login'] is set after user authenticate via login.php

Reminded me of Szell from Marathon Man... – zaf Jun 06 '11 at 10:14 — zaf, Jun 06 '11 at 10:14

score 1 · Answer 1 · edited May 23 '17 at 11:55

1

Session security in PHP is often asked about - see PHP Session Security for pretty good answers.

edited May 23 '17 at 11:55

Community

1
1

answered Jun 06 '11 at 10:14

Shadikka

4,116
2
16
19

score 1 · Answer 2 · answered Jun 06 '11 at 10:14

1

In general: yes. You may want to set a bit more variables, but sessions are only available to php and not the user. The part where it gets exciting in terms of security is how you handle your authentication.

answered Jun 06 '11 at 10:14

Arend

3,741
2
27
37

score 0 · Answer 3 · answered Jun 06 '11 at 10:14

0

Yes, you should check if $_SESSION is set too.

if(isset($_SESSION['login'])) { ...
    if($_SESSION['login'] == 1) { ...

answered Jun 06 '11 at 10:14

Otto

4,020
6
35
46

1

nested ifs? `if( isset($_SESSION['login']) && $_SESSION['login'] == 1 )` The right hand part of the expression isn't evaluated if the left hand is false, so no notice will be generated – Erik Jun 06 '11 at 16:55

score 0 · Answer 4 · answered Jun 06 '11 at 10:14

0

It's safe as the $_SESSION state is stored on your server, not sent back to the client.

answered Jun 06 '11 at 10:14

Steve Mayne

22,285
4
49
49

score 0 · Answer 5 · answered Jun 06 '11 at 10:18

0

Using sessions is better than using cookies when checking for logins/authentication since they can be altered as it communicates with the server from client side when session are only used for server side reading.

answered Jun 06 '11 at 10:18

MacMac

34,294
55
151
222

PHP SESSION Security question

5 Answers5