Storing user data in session

[Drongo_III]

Hi Guys

 

Working on a big multi-stage form.

 

The form has multiple stages, each posting to the next.

 

There is currently minimal validation -  validation is done via a simple regex  which as a minimum allows these chars:  a-z A-Z 0-9 - £

 

As I need to store up all the user data until they complete and it can be passed to the database I am wondering if there is anything in particular I should do, besides the validation, to make sure the data being held in the session is safe?  I've read about some exploits via user data in the session but can't say I have an exhaustive understanding of this so any tips are welcome.

 

Drongo

[Csharp]

I don't think there is any particular stuff you could do. When I make multi step registration I usually 

 

a) Make the first step require all the basic data to create an account (username, email, password). This way the user creates an account way sooner.

b) Store it to session

c) Store it on the client and add further steps via JS

 

Usually sessions aren't dangerous at all from a security POV, there are some exploits like sending an array, but I barely think they could hack your database with it.

[Psycho]

Users can't, to my knowledge, directly manipulate data stored in session. The exploits exists when the application creates a hole. For example, you would never want to do something like this:

 

$key = $_POST['key'];
$value = $_POST['value'];
$_SESSION[$key] = $value;

 

the best advise I can give is to validate/escape ALL user input before you use it. Never assume any data is safe. For example, just because you give the user a select list to make a selection, don't assume that value is one that was in the list you created. Verify it is before you do anything with it.