I'm bit confused. I've been building my sites with my own session system, but i'm not sure how secure the php's own session system is. My session system usually just has user id and quite harsh hash, which does not include user name or password for generation. I save the hash in the user database and as a cookie to confirm the user session on every page load. So my question is can i trust php sessions or keep using my own?
A:
Storing data in cookies versus using PHP's sessions is very different. Cookies store data on the client-side; sessions store data server-side, which has a number of benefits:
- The user can't see it
- The user can't modify it
- The browser doesn't need to send the data to the server with every request
Normally PHP sessions do store the session key as a cookie (although they don't have to), but none of the data you actually care about is ever sent to the user, it's stored on the server and looked up using the session key
Michael Mrozek
2010-06-12 18:37:28
Now i'm wondering how the server would notice who the user is if the session key is not stored as a cookie? With my system basically if user would modify the session cookie he would be just logged out. The user actually can't know how i'm generating the session key so it does not matter if he sees it. My system also stores the session key in the server to confirm the cookie.
Temek
2010-06-12 18:47:34
@Temek Well, the client has to tell the server the session key somehow, it just doesn't need to be stored in a cookie; the other main way is as a [GET parameter](http://us2.php.net/manual/en/session.idpassing.php)
Michael Mrozek
2010-06-12 18:58:37
Ah yeah. Stupid me. I thought you were saying the client does not have to have the session data at all. :) Sorry for confusion.
Temek
2010-06-12 19:03:22
A:
PHP saves a unique session id in a cookie, and all values related to the session in it's own text file on the server. You have to get the session id to steal the session, which means you have to steal the session cookie from the victim's computer. PHP's own system is at least as safe as your homebuilt system
The difference may be how hard it is to find an active session by brute force. That is entirely up to the hashing algorithm and the random number generator.
You can configure PHP to use different hashing algorithms or you could even use your own algorithm to create the session ids for PHP's session system if you don't trust PHP to do it properly.
Emil Vikström
2010-06-12 19:06:29
A:
i'm not sure how secure the php's own session system is
And the rest of the world is not sure how secure your's is. A lot of people have looked at the session handler in PHP and not found any flaws in implementation. Its also well characterizied and integrated but supports the notion of user defined handlers.
I'd recommend using the standard session code - but you might want to write your own handler functions.
C.
symcbean
2010-06-12 23:28:07