enkidu72 Posted October 13, 2008 Share Posted October 13, 2008 Hello all ... Just a question ... I'm writing code for a site that need authentication . The authentication part works with a certificate installed in the browser against a mysql db . When the user is authenticated I use sessions to pass data from one page to another , I save the session data in an array , destroy the session , create a new one and copy the data back . This to prevent hijacking of the session . My question is ... wouldn't be more secure to store all the data in a database instead of saving it in the session ? Or better , what are the advantages/disvantages to use session instead of using a db for this purpose ? Thx in advance David Quote Link to comment Share on other sites More sharing options...
waynewex Posted October 13, 2008 Share Posted October 13, 2008 I often use fingerprints in my session. I know that it's security through obscurity, but it really does make it much harder for anyone trying to play around. $_SESSION['fingerprint'] = md5($_SERVER['HTTP_USER_AGENT'].session_id()."randomLOLXD"); If you're on a shared server, Sessions might be the way to go. However, anyone with access to the actual physical session file probably wont be able to know what site is using it. Quote Link to comment Share on other sites More sharing options...
Zane Posted October 13, 2008 Share Posted October 13, 2008 If you mean for temporary data storage. Yes, it probably would be more secure, but efficient, no. It would be more queries then you would want and a large unnecessary load on your database. You pretty much already seem to know the purpose of a session so I won't bother explaining it...so I'd just say to stick with it. If you need the session to be secure then don't put anything in it that you don't want a "hijacker" to have. Quote Link to comment Share on other sites More sharing options...
enkidu72 Posted October 13, 2008 Author Share Posted October 13, 2008 Thx for you replies ... Would be more efficient even If I destroy and re-create sessions ? This way I write a new session on the filesystem every time , the other way I'd make queries on the db ... Or maybe you was telling me that I should not recreate sessions ? I saw it's possible to save sessions on the db too , with session_set_save_handler() ... Security is very important in this case , because the web gives access to the resources of a grid of clusters . Quote Link to comment Share on other sites More sharing options...
DarkWater Posted October 13, 2008 Share Posted October 13, 2008 thanks for you replies ... Would be more efficient even If I destroy and re-create sessions ? This way I write a new session on the filesystem every time , the other way I'd make queries on the db ... Or maybe you was telling me that I should not recreate sessions ? I saw it's possible to save sessions on the db too , with session_set_save_handler() ... Security is very important in this case , because the web gives access to the resources of a grid of clusters . Don't keep destroying and recreating the session, as it just wastes disk space until the garbage collector cleans up those dead sessions. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.