How secure is php session ? - (*10-100c for answers)

Status
Not open for further replies.

DefecTalisman

Community Advocate
Community Support
Messages
4,148
Reaction score
5
Points
38
I want to save a username and encrypted password in a session.

****ANSWERED****
Would this be secure, if not is there a way to make it secure or a alternate method that the user can traverse a series of pages and carry this variable with them ?
****ANSWERED****

****QUESTION****
Do session increase the load on a server to the point that it wouldn't be advisable for many users to be using them.
****QUESTION****

*valid answers are considered to be constructive comments, valid code that could assist, recommendations and good links. Bad english and unreadable posts are not accepted.
 
Last edited:

curt15

New Member
Messages
96
Reaction score
0
Points
0
I believe it is more secure than cookies, because you are not storing a file on the persons computer, which can be read by other people and sites. As long as you put a line of code at the top of the page that you want the user to continue to use the session than it should work fine.

The problem with sessions is that it increases server load. If you are going to have a few people using sessions then that would be OK. If you have 10s + then you would need to consider using cookies.
 

DefecTalisman

Community Advocate
Community Support
Messages
4,148
Reaction score
5
Points
38
Can anyone confirm that php session increases server load in respect to the above post ?
Also would the amount of data stored in the session be relevant to this?
The more variables the session stores the higher the server load or is it just the more sessions the higher the load?
 

SyncViews

New Member
Messages
37
Reaction score
0
Points
0
I thought the number simpley used up a bit of space seeing as the server doesn't do anything much with them untill a php(or other?) script tells it to do something with it which would presumably use as much cpu as a php script doing stuff with anything.
 

Slothie

New Member
Messages
1,430
Reaction score
0
Points
0
You can hijack sessions if you know the session number, generally stored in the cookie , or URL.
 

DefecTalisman

Community Advocate
Community Support
Messages
4,148
Reaction score
5
Points
38
Is the session number the same as the session id ?
If so then this number can be stored in the database, every time the person starts the session they use a ticket number which was given previously when starting the session.

Still trying to find out if sessions are server intensive with high numbers of them ?
 

DefecTalisman

Community Advocate
Community Support
Messages
4,148
Reaction score
5
Points
38
Thank you but already checked out php.net from my nifty ff search bar.

It hasn't really answered my question.
 

DefecTalisman

Community Advocate
Community Support
Messages
4,148
Reaction score
5
Points
38
It doesn't answer the question at hand.

How secure is a session or an alternate method and does a session increase server load to a point that it doesn't justify using it?
 

supajason

Member
Messages
288
Reaction score
2
Points
18
PHP sessions are as secure as you make them.

eg

passing session ids along in the URL = not secure
storing session ids in cookies = more secure

storing the user agent in a session and then checking it on each page that its the same as the user agent = added security

using sesson_regenerate_id()
changing session.save_path on a shared server because anybody on the server can gain access to them.
 
F

Fahad

Guest
As for security, use a MySQL database to store session ids. The table should have two fields, ticket and session id. The user carries the ticket, plus some extra authing material (I suggest user-agent+page md5ed - you can check by http headers!).

As for server load - don't worry! You're only storing a little bit of data - this won't hurt anyone!
 

deadimp

New Member
Messages
249
Reaction score
0
Points
0
Another method would be to store the first three parts of the user's IP address along with the user agent in the session, and pull it out to compare on each page load to ensure that the information points to about the same computer.
You can read more on it in this post.

As for your question about the load that sessions might incur, it all depends on the context in which you use them, i.e. user base, nature of the data, how the sessions are stored (according to the storage engine in PHP - which can be changed), etc. It's not too easy of a question to answer.
 
Last edited:

DefecTalisman

Community Advocate
Community Support
Messages
4,148
Reaction score
5
Points
38
Thank you very much guys for the feedback, I am closing this thread as the question has been answered and opening a new one -> (to be updated when I open the thread)
 
Status
Not open for further replies.
Top