How secure is php session ? - (*10-100c for answers)

Discussion in 'Scripts, 3rd Party Apps, and Programming' started by DefecTalisman, Jan 3, 2008.

Thread Status:
Not open for further replies.
  1. DefecTalisman

    DefecTalisman Community Advocate Community Support

    Messages:
    4,148
    Likes Received:
    5
    Trophy Points:
    38
    I want to save a username and encrypted password in a session.

    ****ANSWERED****
    Would this be secure, if not is there a way to make it secure or a alternate method that the user can traverse a series of pages and carry this variable with them ?
    ****ANSWERED****

    ****QUESTION****
    Do session increase the load on a server to the point that it wouldn't be advisable for many users to be using them.
    ****QUESTION****

    *valid answers are considered to be constructive comments, valid code that could assist, recommendations and good links. Bad english and unreadable posts are not accepted.
     
    Last edited: Jan 4, 2008
  2. curt15

    curt15 New Member

    Messages:
    96
    Likes Received:
    0
    Trophy Points:
    0
    I believe it is more secure than cookies, because you are not storing a file on the persons computer, which can be read by other people and sites. As long as you put a line of code at the top of the page that you want the user to continue to use the session than it should work fine.

    The problem with sessions is that it increases server load. If you are going to have a few people using sessions then that would be OK. If you have 10s + then you would need to consider using cookies.
     
  3. DefecTalisman

    DefecTalisman Community Advocate Community Support

    Messages:
    4,148
    Likes Received:
    5
    Trophy Points:
    38
    Can anyone confirm that php session increases server load in respect to the above post ?
    Also would the amount of data stored in the session be relevant to this?
    The more variables the session stores the higher the server load or is it just the more sessions the higher the load?
     
  4. SyncViews

    SyncViews New Member

    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    0
    I thought the number simpley used up a bit of space seeing as the server doesn't do anything much with them untill a php(or other?) script tells it to do something with it which would presumably use as much cpu as a php script doing stuff with anything.
     
  5. Slothie

    Slothie New Member

    Messages:
    1,430
    Likes Received:
    0
    Trophy Points:
    0
    You can hijack sessions if you know the session number, generally stored in the cookie , or URL.
     
  6. DefecTalisman

    DefecTalisman Community Advocate Community Support

    Messages:
    4,148
    Likes Received:
    5
    Trophy Points:
    38
    Is the session number the same as the session id ?
    If so then this number can be stored in the database, every time the person starts the session they use a ticket number which was given previously when starting the session.

    Still trying to find out if sessions are server intensive with high numbers of them ?
     
  7. Momiji

    Momiji New Member

    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    0
    Last edited: Jan 4, 2008
  8. DefecTalisman

    DefecTalisman Community Advocate Community Support

    Messages:
    4,148
    Likes Received:
    5
    Trophy Points:
    38
    Thank you but already checked out php.net from my nifty ff search bar.

    It hasn't really answered my question.
     
  9. Momiji

    Momiji New Member

    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    0
    -confused- what are you talking about?

    I just went on the site and searched for it.
     
  10. DefecTalisman

    DefecTalisman Community Advocate Community Support

    Messages:
    4,148
    Likes Received:
    5
    Trophy Points:
    38
    It doesn't answer the question at hand.

    How secure is a session or an alternate method and does a session increase server load to a point that it doesn't justify using it?
     
  11. supajason

    supajason Member

    Messages:
    288
    Likes Received:
    2
    Trophy Points:
    18
    PHP sessions are as secure as you make them.

    eg

    passing session ids along in the URL = not secure
    storing session ids in cookies = more secure

    storing the user agent in a session and then checking it on each page that its the same as the user agent = added security

    using sesson_regenerate_id()
    changing session.save_path on a shared server because anybody on the server can gain access to them.
     
  12. Fahad

    Fahad Guest

    As for security, use a MySQL database to store session ids. The table should have two fields, ticket and session id. The user carries the ticket, plus some extra authing material (I suggest user-agent+page md5ed - you can check by http headers!).

    As for server load - don't worry! You're only storing a little bit of data - this won't hurt anyone!
     
  13. deadimp

    deadimp New Member

    Messages:
    249
    Likes Received:
    0
    Trophy Points:
    0
    Another method would be to store the first three parts of the user's IP address along with the user agent in the session, and pull it out to compare on each page load to ensure that the information points to about the same computer.
    You can read more on it in this post.

    As for your question about the load that sessions might incur, it all depends on the context in which you use them, i.e. user base, nature of the data, how the sessions are stored (according to the storage engine in PHP - which can be changed), etc. It's not too easy of a question to answer.
     
    Last edited: Jan 15, 2008
  14. DefecTalisman

    DefecTalisman Community Advocate Community Support

    Messages:
    4,148
    Likes Received:
    5
    Trophy Points:
    38
    Thank you very much guys for the feedback, I am closing this thread as the question has been answered and opening a new one -> (to be updated when I open the thread)
     
Thread Status:
Not open for further replies.

Share This Page