Reputation: 1019
setting session id variable from sql database; is this safe?
Is it unsafe to use the user_id in my sql table as the session id? is this normally what php developers do?
(source: sockface.com)
Also I've tried countless times to store the session id as the user id
include('profile/core/init_inc.php');
$_SESSION['uid'] = $user_id;
header("Location: profile/edit_profile.php");
in my init_inc
function fetch_user_info($uid){
$uid = (int)$uid;
$sql = "SELECT
`user_id` AS `id`,
`username`,
`user_firstname` AS `firstname`,
`user_lastname` AS `lastname`,
`user_about` AS `about`,
`user_email` AS `email`
FROM `users`
WHERE `user_id` = {$uid}";
$result = mysql_query($sql);
return mysql_fetch_assoc($result);
If i have $_SESSION['uid'] = 90; it will display [email protected] info here after you log on
so my question is, is it safe to store the session id as the user_id, and how come when i try to do it, why isn't it working?
Upvotes: 4
Views: 4376
Answers (1)
Reputation: 2597
A couple things:
1.) A session ID should not be a constant value for a particular user. That is a security violation. The session ID should change every once in a while. Ideally, it should be a random value.
2.) It doesn't look like you are setting the session ID. You are setting the session variable called "uid".
3.) Did you ever call session_start()?
Despite the fact that I really would not recommend setting a session ID to a constant value, you can set the ID for a session using the session_id() function:
$session_id = "some_random_value";
session_id($session_id);
But like I said, this should not be the user's ID. You can store the user's ID as session information, and check that when the user loads a page to see if they are logged in.
if (isset($_SESSION["user_id"]))
{
//user is logged in
$user_id = $_SESSION["user_id"];
}
else
{
//make user log in
$user_id = result_of_login();
$_SESSION["user_id"] = $user_id;
}
More information on PHP sessions in the session documentation.
Upvotes: 2
Related Questions
- Is it safe to insert data to database using id from session?
- Setting user id or user name in Session is safe?
- safest way to create sessions in php
- Use Session ID to verify user identity -- safe to do so?
- Session security using session_id
- Is this a safe use of Session Variables?
- PHP Querying Session_ID Inside a Database
- Is it bad using $_SESSION['id'] in queries?
- Is it safe to store a value in a session variable and make queries on the value?
- How safe are PHP session variables?