I'm using (server side, not cookie) sessions in an application that I writing, if the users has not obtained access to the server can I trust the $_SESSION variable or should I verify it's content on every page load?
Note:
I'm trying to limit the number of queries to my database and currently I am verifying the data on every page load, and I', thinking that I can probably eliminate the queries, but I want to be 100% sure.
views:
94answers:
2
+3
A:
Yes you can store it in the session safely. You should make sure that the Validation method is safe. (the method you use before storing in the session).
Ropstah
2009-05-20 09:54:02
By the way, it does depend on which information you store in the session. We store our entire User object in the session. This implies we need a 'refresh' method to synchronize session/database data for instance when a User updates its information.
Ropstah
2009-05-20 09:55:53
This is exactly the data I'm currently verifying the users object.
Unkwntech
2009-05-20 10:31:19
+2
A:
You just need to make sure that session is stored in safe place. By default sessions are stored on somewhere like /tmp/ on linux. If user can access your server they can edit the session variables.
You should consider saving sessions to database, and/or adding hash calculation (md5+secret seed) verification to sessions, and always check that session variables are not modified against that hash.
If there is a "user" on the live web servan and he/she can edit the session files, the ship is already gone. BTW Unkwntech wants to minimize the number of DB queryes + a user might gain access to the database just as "easily" as being able to edit the session files.
Csaba Kétszeri
2009-05-20 11:43:07