Tutorial :ServerSide Sessions safe?


I'm using (server side, not cookie) sessions in an application that I writing, if the users has not obtained access to the server can I trust the $_SESSION variable or should I verify it's content on every page load?

I'm trying to limit the number of queries to my database and currently I am verifying the data on every page load, and I', thinking that I can probably eliminate the queries, but I want to be 100% sure.


Yes you can store it in the session safely. You should make sure that the Validation method is safe. (the method you use before storing in the session).


You just need to make sure that session is stored in safe place. By default sessions are stored on somewhere like /tmp/ on linux. If user can access your server they can edit the session variables.

You should consider saving sessions to database, and/or adding hash calculation (md5+secret seed) verification to sessions, and always check that session variables are not modified against that hash.

Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Next Post »