CODEWITHSUNDEEP
phpsession
rollingcodes
rollingcodes

Reputation: 15978

PHP $_SESSION Variables

I am using PHP $_SESSION variables with the login workflow of my website and I just wanted to make some clarifications. Much like Facebook, I want to store a secret code only known by the server which is used to sign each request that is sent to and from the server. My initial approach was to generate a random string and store that inside of a MySQL table, but then I learned about session variables. I know that session variables by default work by using cookies that store session names and id, correct? None of the actual data is stored on the user's computer? So if I wanted to implement:


# assume that $rand_string is not null and a string
session_start();
$_SESSION['secret'] = $rand_string;

there would not be any way for the user to decode the session cookies and determine the actual value of $rand_string, right? Just want to make sure the data is secure, otherwise I will revert back to the less smooth MySQL technique. I just like the thought of the easily accessed and managed session variables.

Upvotes: 3

Views: 274

Answers (4)

tranisstor
tranisstor

Reputation: 52

What you say is correct. All data inside $_SESSION is accessible only on the server, but only as long as the session has not timed out.

Nonetheless you should be careful that session IDs which are stored in the cookie can be captured quite easily. See Sessions and Security for details.

Upvotes: 1

Skatox
Skatox

Reputation: 4284

I would prefer doing the random stuff by generating a guid` function, because it will generate a unique identifier and will be more secure than a simple random:

# assume that $rand_string is not null and a string
session_start();
$_SESSION['secret'] = com_create_guid();

And yes, $_SESSION variables are stored on server side.

Upvotes: 2

luk2302
luk2302

Reputation: 57114

Yes, you are right, the user only knows about the session ID or something similar, just something to identify the session the user corresponds to.

The rest of the data is temporarily stored on the server.

There is no way for the visitor to get hands on the session data unless you have major bugs on your website which i don´t think you do.

Upvotes: 1

Abhishek Kannan
Abhishek Kannan

Reputation: 988

Session data is stored server-side.

Cookie data is stored client-side.

Upvotes: 7

Related Questions