Are sessions safe to use?

  • (2 Pages)
  • +
  • 1
  • 2

16 Replies - 6283 Views - Last Post: 03 August 2011 - 07:45 AM Rate Topic: -----

#1 xenor  Icon User is offline

  • D.I.C Head

Reputation: 1
  • View blog
  • Posts: 148
  • Joined: 23-September 09

Are sessions safe to use?

Posted 02 August 2011 - 07:52 AM

I am wondering is it safe to store sensitive data in a session ?

This post has been edited by xenor: 02 August 2011 - 07:58 AM

Is This A Good Question/Topic? 0
  • +

Replies To: Are sessions safe to use?

#2 KingCuddles  Icon User is offline

  • D.I.C Regular

Reputation: 176
  • View blog
  • Posts: 496
  • Joined: 20-December 08

Re: Are sessions safe to use?

Posted 02 August 2011 - 08:00 AM

What are you saving?

Take a look here and here.
Was This Post Helpful? 1
  • +
  • -

#3 EnvXOwner  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 357
  • View blog
  • Posts: 2,319
  • Joined: 10-August 09

Re: Are sessions safe to use?

Posted 02 August 2011 - 08:00 AM

Yes, sessions are created, stored, and destroyed on the server. There is session hijacking though.
Was This Post Helpful? 0
  • +
  • -

#4 xenor  Icon User is offline

  • D.I.C Head

Reputation: 1
  • View blog
  • Posts: 148
  • Joined: 23-September 09

Re: Are sessions safe to use?

Posted 02 August 2011 - 08:01 AM

View PostKingCuddles, on 02 August 2011 - 09:00 AM, said:

What are you saving?

Take a look here and here.

I am saying like storing sensitive info in $_SESSION, like username and password.
Was This Post Helpful? 0
  • +
  • -

#5 EnvXOwner  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 357
  • View blog
  • Posts: 2,319
  • Joined: 10-August 09

Re: Are sessions safe to use?

Posted 02 August 2011 - 08:06 AM

You more than likely don't want to store a password in a session. ids, usernames, etc. are far better options.
Was This Post Helpful? 2
  • +
  • -

#6 creativecoding  Icon User is offline

  • Hash != Encryption
  • member icon


Reputation: 926
  • View blog
  • Posts: 3,205
  • Joined: 19-January 10

Re: Are sessions safe to use?

Posted 02 August 2011 - 10:31 AM

Yeah if you ever need the password, retrieve it using the ID your stored in the session. Also, make sure every password is hashed and salted.
Was This Post Helpful? 1
  • +
  • -

#7 EnvXOwner  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 357
  • View blog
  • Posts: 2,319
  • Joined: 10-August 09

Re: Are sessions safe to use?

Posted 02 August 2011 - 10:48 AM

Yeah. I use sha-512 to hash passwords. I store ids in a session then if I need to retrieve anything from the database I look for rows whose id equals the session id.
Was This Post Helpful? 0
  • +
  • -

#8 RudiVisser  Icon User is offline

  • .. does not guess solutions
  • member icon

Reputation: 1003
  • View blog
  • Posts: 3,562
  • Joined: 05-June 09

Re: Are sessions safe to use?

Posted 02 August 2011 - 12:02 PM

View Postxenor, on 02 August 2011 - 04:01 PM, said:

I am saying like storing sensitive info in $_SESSION, like username and password.

You can store everything that you want in a session, as mentioned previously it's stored on the server so there's no chance of the client ever seeing what's contained in a session if you don't want to.

Storing passwords in a session is, however 1: Insecure, and 2: Unnecessary. Why would you want to do this?

1: Even though your client implementation for a session is pretty secure, if somebody compromises your server, they can very easily read the contents of users' session files, thus releasing their passwords. This is not only a security risk for yourself but would also fail any security audit should your server ever go through one.

2: It's unnecessary because the session cannot be modified by a client. Unlike cookies, where it is usual practice to store user credentials on the client side and re-authenticate every time, you are in control of a session. Best practice would be to wait for the user to authenticate, and at that point, rather than storing credentials, store their unique identifier (could be their username or user ID if database driven).

From there on in, you can use this unique identifier to retrieve user details where required.
Was This Post Helpful? 3
  • +
  • -

#9 calebjonasson  Icon User is offline

  • $bert = new DragonUnicorn(); $bert->rawr();
  • member icon

Reputation: 209
  • View blog
  • Posts: 989
  • Joined: 28-February 09

Re: Are sessions safe to use?

Posted 02 August 2011 - 12:05 PM

No sensitive data should ever be stored in a session or in a manner that is viewable or transferred over the wire.

This means that passwords should be properly hashed with multiple salts (static and dynamic) and these values should never be sent across the wire to the clients computer. The same goes for credit card information but if you had to ask about sessions please don't even touch payment options.

Good luck and happy coding!
Was This Post Helpful? 0
  • +
  • -

#10 RudiVisser  Icon User is offline

  • .. does not guess solutions
  • member icon

Reputation: 1003
  • View blog
  • Posts: 3,562
  • Joined: 05-June 09

Re: Are sessions safe to use?

Posted 02 August 2011 - 12:07 PM

View Postcalebjonasson, on 02 August 2011 - 08:05 PM, said:

No sensitive data should ever be stored in a session or in a manner that is viewable or transferred over the wire.

Sessions are never transferred over the wire.
Was This Post Helpful? 2
  • +
  • -

#11 calebjonasson  Icon User is offline

  • $bert = new DragonUnicorn(); $bert->rawr();
  • member icon

Reputation: 209
  • View blog
  • Posts: 989
  • Joined: 28-February 09

Re: Are sessions safe to use?

Posted 02 August 2011 - 12:41 PM

I never said that they were I said...
No sensitive data should ever be stored in a session or in a manner that is viewable or transferred over the wire.
Was This Post Helpful? 0
  • +
  • -

#12 EnvXOwner  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 357
  • View blog
  • Posts: 2,319
  • Joined: 10-August 09

Re: Are sessions safe to use?

Posted 02 August 2011 - 01:28 PM

Basically a wrap up is, don't store sensitive data in a session.
Was This Post Helpful? 1
  • +
  • -

#13 JackOfAllTrades  Icon User is offline

  • Saucy!
  • member icon

Reputation: 6058
  • View blog
  • Posts: 23,496
  • Joined: 23-August 08

Re: Are sessions safe to use?

Posted 02 August 2011 - 01:35 PM

Not true, Terry, as RudiVisser outlined above. But there really is no legitimate reason to store a user's password in the session.
Was This Post Helpful? 1
  • +
  • -

#14 codeprada  Icon User is offline

  • Changed Man With Different Priorities
  • member icon

Reputation: 946
  • View blog
  • Posts: 2,355
  • Joined: 15-February 11

Re: Are sessions safe to use?

Posted 02 August 2011 - 01:45 PM

IMO it's not safe to store sensitive data in the session. The main reason is as EnvXOwner said, session hijacking. The session data is stored on the server yes but how would the server know who's data belongs to what client? The server knows through the session id stored in a cookie on the client. If someone got a hold of that session id while it is still valid they can use it as if it was their own originally.

Keep sensitive data in a database. There's hashing and encryption to preserve the integrity of data. Use them wisely.

This post has been edited by codeprada: 02 August 2011 - 01:46 PM

Was This Post Helpful? 0
  • +
  • -

#15 creativecoding  Icon User is offline

  • Hash != Encryption
  • member icon


Reputation: 926
  • View blog
  • Posts: 3,205
  • Joined: 19-January 10

Re: Are sessions safe to use?

Posted 02 August 2011 - 01:53 PM

How about you just don't store the password in any location other than a secured database? Do that and you should be fine.
Was This Post Helpful? 1
  • +
  • -

  • (2 Pages)
  • +
  • 1
  • 2