5 Replies - 356 Views - Last Post: 18 February 2012 - 10:23 PM Rate Topic: -----

#1 AliumOnions  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 6
  • Joined: 21-March 09

PHP and Sessions - what data is stored on the client?

Posted 18 February 2012 - 06:36 AM

I'm fairly new to PHP and sessions so I apologize in advance if my question seems very basic, but I haven't been able to find an answer elsewhere. What I'd like to know is - what data exactly is stored in the session cookie (assuming I'm using cookies for passing the PHPSESSID) other than the PHPSESSID?

If I pass variables to $_SESSION, these are NOT in any way stored in the client's cookie, the variable data exists only on the server, correct? Even if session cookies are disabled and I'm passing my PHPSESSID in the URL, then only the PHPSESSID is passed in this way, right?

I'm not working with really critical data, but it is private and still I want to do my best to secure it. Please let me know if this is already listed somewhere but I just missed it before (wouldn't be the first time). Thanks!

Is This A Good Question/Topic? 0
  • +

Replies To: PHP and Sessions - what data is stored on the client?

#2 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 2834
  • View blog
  • Posts: 9,740
  • Joined: 08-August 08

Re: PHP and Sessions - what data is stored on the client?

Posted 18 February 2012 - 07:03 AM

Yes, only the session id is stored on the client. If a malicious client side script gains access to this id there is the possibility of f a cross site scripting attack.
Was This Post Helpful? 0
  • +
  • -

#3 JackOfAllTrades  Icon User is online

  • Saucy!
  • member icon

Reputation: 5955
  • View blog
  • Posts: 23,226
  • Joined: 23-August 08

Re: PHP and Sessions - what data is stored on the client?

Posted 18 February 2012 - 07:31 AM

I think CTphpnwb may mean session hijacking, another kind of exploit.
Was This Post Helpful? 0
  • +
  • -

#4 AliumOnions  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 6
  • Joined: 21-March 09

Re: PHP and Sessions - what data is stored on the client?

Posted 18 February 2012 - 04:10 PM

Ok great, thanks for the answer! Yes, I've been trying to be careful with the session ID as well so hopefully it's at least fairly secure. Once I have sketched out my session login/logout code I'd like to get some feedback on it - is that something I could post here in this PHP forum or possibly in another forum on this site?
Was This Post Helpful? 0
  • +
  • -

#5 codeprada  Icon User is offline

  • Changed Man With Different Priorities
  • member icon

Reputation: 943
  • View blog
  • Posts: 2,353
  • Joined: 15-February 11

Re: PHP and Sessions - what data is stored on the client?

Posted 18 February 2012 - 04:48 PM

Sure...we'll take a look at it. Just remember to use code tags when posting your code.
Was This Post Helpful? 0
  • +
  • -

#6 AliumOnions  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 6
  • Joined: 21-March 09

Re: PHP and Sessions - what data is stored on the client?

Posted 18 February 2012 - 10:23 PM

Great, thanks! Will do.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1