Remenission Posted October 5, 2015 Share Posted October 5, 2015 (edited) Hi there, I'm trying to rework my framework a bit to make it more solid, and I have been storing encrypted account data as an array in session. However, since that data is being loaded every time a session is opened. I'm curious if perhaps it would be better to just use an sql request to load the data instead. I think both have their pros and cons, but I'm curious what you guys think. Thanks! Also, because I hate feeling like a leech. I am gonna try and help out a few others as well in the meantime. Edited October 5, 2015 by Remenission Quote Link to comment https://forums.phpfreaks.com/topic/298446-account-data-in-session-vs-new-request/ Share on other sites More sharing options...
requinix Posted October 5, 2015 Share Posted October 5, 2015 How often to do you need to access the information? Can it change during the lifetime of the user's session? When and why? Quote Link to comment https://forums.phpfreaks.com/topic/298446-account-data-in-session-vs-new-request/#findComment-1522408 Share on other sites More sharing options...
Jacques1 Posted October 6, 2015 Share Posted October 6, 2015 Generally speaking, you shouldn't use the session for anything but temporary unimportant data. Sessions have lots of security issues: They can be hijacked, fixated and poisoned. Usually all websites on the same server have unrestricted access to the session files. There's no fine-grained permission system. Sessions can fall out of sync (as requinix already pointed out), which is a huge problem for critical data. For example: If you revoke certain privileges from a user, they may still have a session claiming they do have those privileges. A session contains serialized PHP values, not just plain strings. This may be used to manipulate the control flow of your program. For example, the check $_SESSION['key'] == $expected_key will always yield true if $_SESSION['key'] is the boolean value true instead of a string. While it's theoretically possible to evade some of those risks with Authenticated Encryption, a much simpler solution is to put critical data into the database system. 1 Quote Link to comment https://forums.phpfreaks.com/topic/298446-account-data-in-session-vs-new-request/#findComment-1522525 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.