[xenor]

I am wondering is it safe to store sensitive data in a session ?

This post has been edited by xenor: 02 August 2011 - 07:58 AM

[KingCuddles]

What are you saving?

Take a look here and here.

[EnvXOwner]

Yes, sessions are created, stored, and destroyed on the server. There is session hijacking though.

[xenor]

KingCuddles, on 02 August 2011 - 09:00 AM, said:

What are you saving?

Take a look here and here.

I am saying like storing sensitive info in $_SESSION, like username and password.

[EnvXOwner]

You more than likely don't want to store a password in a session. ids, usernames, etc. are far better options.

[creativecoding]

Yeah if you ever need the password, retrieve it using the ID your stored in the session. Also, make sure every password is hashed and salted.

[EnvXOwner]

Yeah. I use sha-512 to hash passwords. I store ids in a session then if I need to retrieve anything from the database I look for rows whose id equals the session id.

[RudiVisser]

xenor, on 02 August 2011 - 04:01 PM, said:

I am saying like storing sensitive info in $_SESSION, like username and password.

You can store everything that you want in a session, as mentioned previously it's stored on the server so there's no chance of the client ever seeing what's contained in a session if you don't want to.

Storing passwords in a session is, however 1: Insecure, and 2: Unnecessary. Why would you want to do this?

1: Even though your client implementation for a session is pretty secure, if somebody compromises your server, they can very easily read the contents of users' session files, thus releasing their passwords. This is not only a security risk for yourself but would also fail any security audit should your server ever go through one.

2: It's unnecessary because the session cannot be modified by a client. Unlike cookies, where it is usual practice to store user credentials on the client side and re-authenticate every time, you are in control of a session. Best practice would be to wait for the user to authenticate, and at that point, rather than storing credentials, store their unique identifier (could be their username or user ID if database driven).

From there on in, you can use this unique identifier to retrieve user details where required.

[calebjonasson]

No sensitive data should ever be stored in a session or in a manner that is viewable or transferred over the wire.

This means that passwords should be properly hashed with multiple salts (static and dynamic) and these values should never be sent across the wire to the clients computer. The same goes for credit card information but if you had to ask about sessions please don't even touch payment options.

Good luck and happy coding!

[RudiVisser]

calebjonasson, on 02 August 2011 - 08:05 PM, said:

No sensitive data should ever be stored in a session or in a manner that is viewable or transferred over the wire.

Sessions are never transferred over the wire.

[calebjonasson]

I never said that they were I said...
No sensitive data should ever be stored in a session or in a manner that is viewable or transferred over the wire.

[EnvXOwner]

Basically a wrap up is, don't store sensitive data in a session.

[JackOfAllTrades]

Not true, Terry, as RudiVisser outlined above. But there really is no legitimate reason to store a user's password in the session.

[codeprada]

IMO it's not safe to store sensitive data in the session. The main reason is as EnvXOwner said, session hijacking. The session data is stored on the server yes but how would the server know who's data belongs to what client? The server knows through the session id stored in a cookie on the client. If someone got a hold of that session id while it is still valid they can use it as if it was their own originally.

Keep sensitive data in a database. There's hashing and encryption to preserve the integrity of data. Use them wisely.

This post has been edited by codeprada: 02 August 2011 - 01:46 PM

[creativecoding]

How about you just don't store the password in any location other than a secured database? Do that and you should be fine.