SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Member
    Join Date
    Oct 2006
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Do I need to use sessions

    Hi,
    I am dealing with an older website written in php that I have been enhancing and fixing bugs. The website uses sessions. If I upgrade/rewrite the website do I need to use sessions? Is it better to use sessions or not? I was told on a previous non-php website project not to use sessions because of security. Is this true with PHP?
    Thank you for your help.

  2. #2
    SitePoint Addict Skookum's Avatar
    Join Date
    Sep 2006
    Location
    Idaho
    Posts
    375
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It actually depends on the website, how concerned you are about security.

    To replace sessions you could use cookies, or store all the session variables in the URL.

    It is possible to lock down sessions pretty good though.

    The site that I am building I am using Sessions and I am not locking them entirely yet, because I am on a time crunch and because the information that I am handling is not sensitive.

    From what I can tell most places frown upon using sessions, so if you are uncomfortable with it use something else.

  3. #3
    SitePoint Guru rockit's Avatar
    Join Date
    Sep 2005
    Location
    Canada
    Posts
    636
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    it's like anything, what context are you using them in... typically pro's and con's to almost any solution out there.

  4. #4
    SitePoint Member
    Join Date
    Oct 2006
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the quick replies. There is some sensitive data in parts of the website which is why I was concerned.

  5. #5
    dooby dooby doo silver trophybronze trophy
    spikeZ's Avatar
    Join Date
    Aug 2004
    Location
    Manchester UK
    Posts
    13,807
    Mentioned
    158 Post(s)
    Tagged
    3 Thread(s)
    if its that sensitive, use a database to store the information or encrypt your session data.

    welcome to the forums btw TAB
    Mike Swiffin - Community Team Advisor
    Only a woman can read between the lines of a one word answer.....

  6. #6
    SitePoint Wizard silver trophy
    Join Date
    Mar 2006
    Posts
    6,132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    you might want to read up on exactly what sessions are. it seems you dont quite understand them.

    sessions are for the most part as secure as you make them. as with anything, if you are not familiar with what you are doing, you may make critical design flaws.

    most of the risk with sessions revolve around session hijacking. stick with cookie based sessions(do not pass the session id in the url/query string) and this wont be much of an issue.

    the session could still be hijacked, but the only realistic way would be to get the users cookie. this could be done with javascript/xss(if you allow javascript to be injected into your application then you have other issues you need to deal with first)

    you want to use the proper tool for the job. security is never a simple thing. it requires security from all angles.

  7. #7
    SitePoint Wizard bronze trophy devbanana's Avatar
    Join Date
    Apr 2006
    Location
    Pennsylvania
    Posts
    1,736
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Agreed. Why would someone discourage the use of sessions? they are safer than cookies, because sessions are stored on the server and only the ID stored in a cookie, while with regular cookies, all of the data, sensative and otherwise, is stored in cookies on the client side. That means someone can go in and change any of that data they want to by hand, not to mention all of that data is being passed over a possibly insecure network (if you're not using SSL), and so there is infinite potential for the data to be captured, or otherwise tampered with.
    Laudetur Iesus Christus!
    Christ's Little Flock
    Jesus is the Good Shepherd


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •