Jump to content

What to store in $_SESSION ??

doubledee

By doubledee
in Application Design

 Share

Recommended Posts

doubledee Advanced Member

doubledee

Posted
Posted

How much information can you actively store in your $_SESSION to where it is still "okay"??

 

Currently, when a Member logs in, I write this data to my $_SESSION...

 

// ******************

// Log In Member. *

// ******************

 

// Set Session variables.

$_SESSION['loggedIn'] = TRUE;

$_SESSION['sessMemberID'] = $sessMemberID;

$_SESSION['sessFirstName'] = $sessFirstName;

 

I feel this is very reasonable.

 

But what I am pondering is this...

 

Would it be a "mortal sin" - or a security risk - if I were to add one more thing to my Session like this...

 

// ******************

// Log In Member. *

// ******************

 

// Set Session variables.

$_SESSION['loggedIn'] = TRUE;

$_SESSION['sessMemberID'] = $sessMemberID;

$_SESSION['sessFirstName'] = $sessFirstName;

$_SESSION['sessUsername'] = $sessUsername;

 

 

On every page (i.e. in the Header file), I need the Member's "username" so that when they click on their name, they are re-directed to their Profile.

 

It sure would make my life easier to just keep it persisting in the $_SESSION if that isn't adding too much.

 

Thoughts?

 

Thanks,

 

 

Debbie

 

Link to comment
https://forums.phpfreaks.com/topic/265094-what-to-store-in-_session/
Share on other sites
doubledee Advanced Member

doubledee

Posted
  • Author
Posted

I may be wrong but I think the more information that exists in your session, the more memory you use for every page load.

 

Generally, I only store the user ID in the session and then run a query for that ID to get their info.

 

But that is what I am trying to avoid...

 

I mean, don't you think it is much more overhead to have to query the database on EVERY PAGE instead of just storing the tiny 8-30 character Username in the $_SESSION on Log In???  :shrug:

 

 

Debbie

 

 

doubledee Advanced Member

doubledee

Posted
  • Author
Posted

Perhaps, but what if you want additional information? Are you going to end up storing the entire user table in a session?

 

Nope.

 

I draw the line at...

 

- sessMemberID

- sessFirstName

- sessUsername

 

 

Besides, running a simple select query on every page load isn't really a big deal.

 

It just seems like a waste in order to get something like a Member's First Name or Username...

 

I can see running a query every time you load the entire Member's Profile.

 

 

Debbie

 

 

scootstah Member

scootstah

Posted
Posted

If you're only ever going to use their username, then fine, put it in a session. But, there's a bunch of other things I can reasonably see being used from a user table on every page load. Like: a profile picture, forum posts, last login, etc. So, if those would be queried for anyway then you might as well get the username at the same time.

Philip Advanced Member

Philip

Posted
Posted

If you're only ever going to use their username, then fine, put it in a session. But, there's a bunch of other things I can reasonably see being used from a user table on every page load. Like: a profile picture, forum posts, last login, etc. So, if those would be queried for anyway then you might as well get the username at the same time.

:qft:

 

Another reason to query the DB on each load: if you just store stuff in the session - let's say User A logs in and then User B edits User A. User A's session is now out of date and has no way to know that it is out of date. Using a query fixes this. You can see at the bottom that this forum loads a lot of stuff from the DB on each load. This page alone did:

Page created in 0.075 seconds with 15 queries.
Mahngiel Member

Mahngiel

Posted
Posted

// ******************

// Log In Member. *

// ******************

 

// Set Session variables.

$_SESSION['loggedIn'] = TRUE;

$_SESSION['sessMemberID'] = $sessMemberID;

$_SESSION['sessFirstName'] = $sessFirstName;

 

 

Seems pretty silly to save whether or not a user is logged-in in their session.  :shrug:  The session shouldn't be telling itself it is active, a 3rd party function should identify that as true or false.

scootstah Member

scootstah

Posted
Posted

// ******************

// Log In Member. *

// ******************

 

// Set Session variables.

$_SESSION['loggedIn'] = TRUE;

$_SESSION['sessMemberID'] = $sessMemberID;

$_SESSION['sessFirstName'] = $sessFirstName;

 

 

Seems pretty silly to save whether or not a user is logged-in in their session.  :shrug:  The session shouldn't be telling itself it is active, a 3rd party function should identify that as true or false.

 

How else are you going to persist the login?

Mahngiel Member

Mahngiel

Posted
Posted

How else are you going to persist the login?

 

The mere existence of the session keys permits the script to perform the functions it needs to.  IMO $_SESSION['logged_in'] can be better accomplished by passing the parameters of the user's session through a non-associated session validator.

 

function logged_in()
{	
// Check to see if their is session data
if( !$_SESSION['username'] || !$_SESSION['password'] )
{
	// Sessions data doesn't exist, return FALSE
	return FALSE;
}

// Setup query with session vars
$query = //whatever

// Check to see if user exists
if( $query )
{
	// User exists, return TRUE
	return TRUE;
}
else
{
	// User doesn't exist, return FALSE
	return FALSE;
}
}

 

This takes the authentication out of the $_SESSION and gives the authority back to the core where it belongs.  A simple if( !$user->logged_in ) failure kicks the user back to the login portal.

Mahngiel Member

Mahngiel

Posted
Posted

You think storing a "logged in" flag is bad but storing their password is okay? Seriously?

 

This topic isn't about methodologies of cryptography, it's about methodologies of using sessions.  Get your swimsuit on before you jump into the pool, mate - i never gave clue that anything in the session wasn't encrypted.

scootstah Member

scootstah

Posted
Posted

It doesn't matter if it is "encrypted", there is no reason to store passwords in a session. Ever.

 

Besides, your code doesn't really offer any functional difference to storing a logged in flag in the session. You are simply checking to see if "username" or "password" keys exist, instead of a "logged_in" key.

Mahngiel Member

Mahngiel

Posted
Posted

The OP offers plenty of room for subjectivism.  If it's your opinion that having $_SESSION['logged_in'] is groovy, then that is your opinion.  My opinion is otherwise. If the function on the page is going to revalidate this key every load, what's the purpose of the key?  It's only adding to the overhead you just said you didn't like:

 

I may be wrong but I think the more information that exists in your session, the more memory you use for every page load.

 

Generally, I only store the user ID in the session and then run a query for that ID to get their info.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.