Reputation: 930
PHP - Storing session username or ID preferred?
I'm just wondering, for a PHP session, would it be preferred to store a session variable containing a logged in user's ID or username?
At the moment it stores the username, whereas would ID be safer because to potential "hackers", they may not know which user the ID correlates to?
Upvotes: 1
Views: 167
Answers (1)
Reputation: 6021
PHP sessions work by giving an "opaque" cookie to users - that is, the cookie is just a number, and the actual data is stored on your server. When a user sends you the session cookie, PHP looks up the number in a table to retrieve the data you've stored for that user.
This means that it is impossible, without access to your server, for anyone listening over the network to figure out what the session cookie actually means. They would need the table stored on your server. So it really doesn't matter if you store an ID number or a username in the session: if they have enough access to see what's in the session, then they could probably just look up the username based on the ID number anyway.
Upvotes: 2
Related Questions
- PHP storing session data, storing userid in session
- Setting user id or user name in Session is safe?
- What to store in a session?
- Storing USER ID in PHP SESSION
- Use of session_id() and session_name
- Session User ID?
- Is storing a session id in a cookie a better practice than a get var?
- Where do i store username and userid? sessions or cookie?
- php storing user id in session?
- Which is the best way ?? to save the username in session or id of the user in session?