Is it safe to save PHP Database values directly in Session Array?

Question

I want to know that while doing DB operations on mySQL in PHP then is it is really safe to save all DB values in Session array like as below

$query = "select * from `users` where `mails` = ? and passx= ? ";
$result = DB::instance()->prepare($query)>execute
             (array($m,$s))->fetchAll();
foreach($result as $row){
   $user[] = $row;
   $_SESSION['user'] = $user;
}

I am afraid as all Database column names are available in Session Array. If there is any other approach please let me know.

Answer 1

Yes, the $_SESSION array is private and will never be shown to a user unless php is configured to save session files in a publicly accessible location or there is a security flaw on the server. However, sessions can be stolen from users and others can log in with them by using some certain methods.

Read up on how to prevent session fixation here

Also related: Where is data stored in a session?

As an aside, you can use reset() instead of foreach() to return the first key in an array.

Answer 2

In short, if you don't run around var_dumping $_SESSION , or mismanaging the data assigned from $_SESSION , there's no real way for the contents of $_SESSION to be intercepted client-side. It is only stored on the server.

Even if a session is hijacked (which has its own set of issues and concerns), this doesn't mean that the contents of $_SESSION are fully exposed.