PHP Sessions - Full Proof?

[325ey]

Hi all,

 

Quick question - I'm developing a form to webservice system and using a PHP session for as part of the server side validation. Basically if I get an error response from the server I'm submitting to, I return the person to the form page and use a php session to bring the original form data and errors with them.

 

Pretty common I think.

 

My question is, how likely is it that a php session will fail? And so the system.

 

If a failure occurs I'm expecting it to normally be because the persons browser will not accept the session cookie, can I get around this?

 

I don't really want to append a session ID to the URL as the CMS I'm using is being difficult about it but would this be a safe gaurd?

 

Thanks.

 

 

[Wolphie]

What about using cookies? I've never heard of a session failing, however if the users browser doesn't accept sessions then this could be a problem. I'd attempt using cookies and then as a fallback I'd temporarily store their form data in a database.

 

Although, personally I'd rather store the data in the URL as a fallback.

[simshaun]

If the data needs to be secure, avoid passing a session ID around in the URL if at all possible.  Allowing it opens up the possibility of session hijacking via session fixation.