mottwsc Posted August 11, 2009 Share Posted August 11, 2009 Are database sessions safer than regular sessions? Do they prevent the types of security problems that regular sessions have? Do you know of a good tutorial on implementing database sessions? Thanks for your guidance. Quote Link to comment https://forums.phpfreaks.com/topic/169762-regular-sessions-vs-database-sessions/ Share on other sites More sharing options...
JonnoTheDev Posted August 11, 2009 Share Posted August 11, 2009 Do they prevent the types of security problems that regular sessions have? What would they be? PHP's standard session handling is fine in most situations. There are however some cases where you need a custom session handler i.e. database. One example is maintaining sessions accross domains. One con regarding using a database for handling sessions is speed and the size of data being stored. Basic tutorial http://bubble.ro/Creating_a_customized_session_handling_system_in_PHP__part_I.html Quote Link to comment https://forums.phpfreaks.com/topic/169762-regular-sessions-vs-database-sessions/#findComment-895663 Share on other sites More sharing options...
premiso Posted August 11, 2009 Share Posted August 11, 2009 Are database sessions safer than regular sessions? It depends on your server. For a shared host, a database session can be if you do not setup your session storing right. If you set it up correctly then they are about the same except that the file way will be much quicker. Do they prevent the types of security problems that regular sessions have? What security problems are you referring to? Quote Link to comment https://forums.phpfreaks.com/topic/169762-regular-sessions-vs-database-sessions/#findComment-895675 Share on other sites More sharing options...
PFMaBiSmAd Posted August 11, 2009 Share Posted August 11, 2009 On shared web hosting all the databases on any database server can be seen by all the accounts having access to that particular database server and database engines (at least mysql) does not have bad login detection and account lockout, so it is possible to use brute force to break into a database, whereas if session data files are stored in a "private" folder within your account's folder tree and with proper folder permissions they are safe against any brute force attempt to break into your account to access them (most hosting control panels and ftp logins do have bad login detection and account lockout). So, an argument could be made that on shared web hosting, using a database to store session data is actually less secure than using the built-in file save handler. Quote Link to comment https://forums.phpfreaks.com/topic/169762-regular-sessions-vs-database-sessions/#findComment-895787 Share on other sites More sharing options...
mottwsc Posted August 11, 2009 Author Share Posted August 11, 2009 I was talking about the risk of session hijacking. Maybe it is the same risk for either option, and you guard against it with session_regenerate_id() in both cases. If I intend to put this application on a dedicated server, then it sounds like either option would work. Thanks for your thoughts. Quote Link to comment https://forums.phpfreaks.com/topic/169762-regular-sessions-vs-database-sessions/#findComment-895870 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.