Jump to content

Storing user data in session


Drongo_III
 Share

Recommended Posts

Hi Guys

 

Working on a big multi-stage form.

 

The form has multiple stages, each posting to the next.

 

There is currently minimal validation -  validation is done via a simple regex  which as a minimum allows these chars:  a-z A-Z 0-9 - £

 

As I need to store up all the user data until they complete and it can be passed to the database I am wondering if there is anything in particular I should do, besides the validation, to make sure the data being held in the session is safe?  I've read about some exploits via user data in the session but can't say I have an exhaustive understanding of this so any tips are welcome.

 

Drongo

Link to comment
Share on other sites

I don't think there is any particular stuff you could do. When I make multi step registration I usually 

 

a) Make the first step require all the basic data to create an account (username, email, password). This way the user creates an account way sooner.

b) Store it to session

c) Store it on the client and add further steps via JS

 

Usually sessions aren't dangerous at all from a security POV, there are some exploits like sending an array, but I barely think they could hack your database with it.

Link to comment
Share on other sites

Users can't, to my knowledge, directly manipulate data stored in session. The exploits exists when the application creates a hole. For example, you would never want to do something like this:

 

$key = $_POST['key'];
$value = $_POST['value'];
$_SESSION[$key] = $value;

 

the best advise I can give is to validate/escape ALL user input before you use it. Never assume any data is safe. For example, just because you give the user a select list to make a selection, don't assume that value is one that was in the list you created. Verify it is before you do anything with it.

Link to comment
Share on other sites

This thread is more than a year old.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.