sensitive data storage in sessions?

Question

Is it safe to store sensitive data inside a session variable? Or can it be modified by the client?

Answer 1

Modified by which client? Your biggest worry ought to be making sure that no one else (e.g., no other thread) sees that sensitive data.

Answer 2

The session's data is stored on the server (generally, in files).

So, it can not be modified by the client -- except if you have a security hole, of course ; but, if that's the case, people will most probably prefer modifying something more critical, like data in your database.

Though, as it's generally stored in files on your server, if you are using some kind of shared hosting, other users on your server might be able to see the sessions' files... At least, if your hosting service didn't configure the server so each user is in isolation.

Answer 3

Its very safe. Session variables are like server-side cookie. They cannot be modified by a client.

Answer 4

It's safe, sessions are stored server side. All the client has is the session id.

The session id is still a pretty important piece of information to keep hidden from others, however most sessions implementations take care of this also by assuring that the session id is used by the same IP address.

Answer 5

This is definitely NOT safe in a shared hosting environment like most web hosting deals that do not include a dedicated (virtual o physical) server. Since session data is stored in the filesystem and is by default NOT ENCRYPTED in any way it is possible (depending on your web hosters configuration) that scripts from other hosting accounts may gain access to your session data.

There are much more secure places for sensitive data. Depending on the nature of the data, you might even want to consider encryption of your data storage.

Even if your application lives on a dedicated server where session data is in theory secure, sessions are not a very reliable storage medium. Use your database for any persistent and/or sensitive data.