Jump to content

$_SESSION (philosophical question)

ChenXiu

By ChenXiu
in PHP Coding Help

 Share

Recommended Posts

ChenXiu Advanced Member

ChenXiu

Posted
Posted (edited)

To prevent misuse on some $_GET and $_POST pages, I use sessions to make sure Get, Post, and other variables aren't monkeyed with.

Example:
if($_SESSION["ordernumber"] !== $_POST["ordernumber"]) { exit(header("location:goAwayHacker.com")); }

When I reviewed my final code, I've used lots of individual sessions to do the checks-and-balances:
e.g. $_SESSION["ordernumber"], $_SESSION["userid"], $_SESSION["sku_numbers"], $_SESSION["date"], $_SESSION["this"], $_SESSION["that"], $_SESSION["etc"]

Question:
Would having just ONE big session as an array containing all the aforementioned sessions be equally secure?
Does having one big session as an array make PHP work harder and slow things down?
$_SESSION["security"] = array(
'ordernumber' => '1234',
'userid' => 'MyDogRover',
etc. etc. etc.....

So, for example, instead of
if($_SESSION["ordernumber"] !== $_POST["ordernumber"]) { exit(header("location:goAwayHacker.com")); }
... I would do:
if($_SESSION["security"]["ordernumber"] !== $_POST["ordernumber"]) { exit(header("location:goAwayHacker.com")); }

Thank you.

 

 

 

 

 

Edited by ChenXiu
Link to comment
https://forums.phpfreaks.com/topic/315181-_session-philosophical-question/
Share on other sites
ginerjm Prolific Member

ginerjm

Posted
Posted

You can only have one session at a time.  Not sure what you are thinking of when you talk about 'ONE big session'.

How's this?  How do you know that the items saved in you session vars were tinkered with when you first saw them?  You then compare them to the latest version of your post data and they might be wrong already.

kicken Prolific Member

kicken

Posted
Posted
2 hours ago, ChenXiu said:

So, for example, instead of
if($_SESSION["ordernumber"] !== $_POST["ordernumber"]) { exit(header("location:goAwayHacker.com")); }
... I would do:
if($_SESSION["security"]["ordernumber"] !== $_POST["ordernumber"]) { exit(header("location:goAwayHacker.com")); }

The whole thing is kind of silly.  If you're going to store the data in the session, then just use the session and stop using $_POST.

ChenXiu Advanced Member

ChenXiu

Posted
  • Author
Posted
43 minutes ago, kicken said:

The whole thing is kind of silly.  If you're going to store the data in the session, then just use the session and stop using $_POST.

Silly? Really?
So if I have <input type="hidden" name="price value="50.00">, you think it's silly to set $_SESSION["price"] = '50.00'; and on destination page check that $_SESSION["price"] == $_POST["price"]
I'm wondering why "the whole thing is silly."

Thank you.
 

ChenXiu Advanced Member

ChenXiu

Posted
  • Author
Posted
3 hours ago, ginerjm said:

You can only have one session at a time.  Not sure what you are thinking of when you talk about 'ONE big session'.

Correct, one session at a time.
By "One big session," I mean place the session variables under one named variable.

Analogy: imagine a manila folder containing photos of fruits.
Option 1.)
Manila folder is  unlabeled:
$_SESSION["apple"] = 'red';
$_SESSION["grape"] = 'green';
$_SESSION["lemon"] = 'yellow';
Option 2.)
Manila folder is  labeled "fruit":
$_SESSION["fruit"]["apple"] = 'red';
$_SESSION["fruit"]["grape"] = 'green';
$_SESSION["fruit"]["lemon"] = 'yellow';

I'm trying to learn PHP best practices. Which is "best practice?"

Quote

How do you know that the items saved in you session vars were tinkered with when you first saw them?

I know, because my PHP code generates the $ordernumber value, and immediately places it in session before serving to browser.

Thank you.

kicken Prolific Member

kicken

Posted
Posted
2 hours ago, ChenXiu said:

Silly? Really?
So if I have <input type="hidden" name="price value="50.00">, you think it's silly to set $_SESSION["price"] = '50.00'; and on destination page check that $_SESSION["price"] == $_POST["price"]
I'm wondering why "the whole thing is silly."

Thank you.

Yes, because if you have a way to put it into $_SESSION that you trust, then there's no point in having the <input> at all.  Just delete it and use $_SESSION['price'] where you need it.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.