is it dangerous to store $_POST in $_SESSION?

Question

I have a form on a web page where a user enters their name, last name, email address and some other info. PHP then checks this info to see if any malicious or weird characters are there, checks if the user's email exists already, and other common functionality. This question isn't about malicious user input, however.

I'm using $_SESSION for some things on a later page.

So I've been doing this recently:

$_SESSION['info']['first_name'] = $_POST['first_name'];
$_SESSION['info']['last_name'] = $_POST['last_name'];
// this continues for many lines below...

I want to just do this:

$_SESSION['info'] = array_values($_POST);

Is there any danger in this? I know someone could $_POST a ton of data then it'd end up being stored in memory on my server. Is there potential for abuse? How can I prevent this without writing more code than the original method I've used to store data into the $_SESSION? Is there a method or function that would help with this?

To be clear, my intent is to cut down on lines of code without sacrificing security.

Answer 1

The only risk is completely fill the session storage (disk, memory, database) with the data passed to $_POST which could end in a DoS

Answer 2

It's no more dangerous than using $_POST, although if you want the same effect as the original then you should drop the array_values and just assign $_POST to it.

Personally, I'd define a list of expected keys to store, and use them like this:

$allowed_keys = ["first_name","last_name", /* ... */ ];
$_SESSION['info'] = array_intersect_key($_POST,array_flip($allowed_keys));

But really that's just to prevent someone spamming large amounts of POST data and naively storing it in a session file.