Reputation: 90871
ServerSide Sessions safe?
I'm using (server side, not cookie) sessions in an application that I writing, if the users has not obtained access to the server can I trust the $_SESSION variable or should I verify it's content on every page load?
Note:
I'm trying to limit the number of queries to my database and currently I am verifying the data on every page load, and I', thinking that I can probably eliminate the queries, but I want to be 100% sure.
Upvotes: 2
Views: 454
Answers (2)
Reputation: 31
You just need to make sure that session is stored in safe place. By default sessions are stored on somewhere like /tmp/ on linux. If user can access your server they can edit the session variables.
You should consider saving sessions to database, and/or adding hash calculation (md5+secret seed) verification to sessions, and always check that session variables are not modified against that hash.
Upvotes: 3
Reputation: 17804
Yes you can store it in the session safely. You should make sure that the Validation method is safe. (the method you use before storing in the session).
Upvotes: 4