Tutorial :ServerSide Sessions safe?



Question:

I'm using (server side, not cookie) sessions in an application that I writing, if the users has not obtained access to the server can I trust the $_SESSION variable or should I verify it's content on every page load?


Note:
I'm trying to limit the number of queries to my database and currently I am verifying the data on every page load, and I', thinking that I can probably eliminate the queries, but I want to be 100% sure.


Solution:1

Yes you can store it in the session safely. You should make sure that the Validation method is safe. (the method you use before storing in the session).


Solution:2

You just need to make sure that session is stored in safe place. By default sessions are stored on somewhere like /tmp/ on linux. If user can access your server they can edit the session variables.

You should consider saving sessions to database, and/or adding hash calculation (md5+secret seed) verification to sessions, and always check that session variables are not modified against that hash.


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »