stackoom
  简体   繁体   中英

php storing user id in session?

 原文  2011-04-20 00:47:22       php/ security/ session

Question

I am wondering what the risks are of storing the userid in a session?

then simply doing a 

if(isset($_SESSION['user_id'])){
  login_user($_SESSION['user_id]);
}

Are sessions encrypted enough that we wont have to worry about hashing them? What are the chances of someone being able to change their ID?

5 answers

solution1
 11 ACCPTED  2011-04-20 00:48:15

The session is by default stored in /tmp as a file. It is not viewable by the end user unless you have security issues such as directory traversal vulnerabilities.

The only portion the client sees is the unique hash stored in a cookie which maps to the relevant session on the server.

solution2
 2  2011-04-20 01:49:44

Most applications use $_SESSION as you are. If there where a wide spread weakness then major projects would be doing things differently.

solution3
 1  2011-04-20 02:54:49

Storing a user id in $_SESSION is a reasonably common practice.

Your alternative could be to store the session information (including current user id) in a table using the session_id() in some form, as the key.

Session information is stored as plain text.

Dependant on your setup, the session location should be safe on a properly setup server. It is possible to change the location with session_save_path() which will overcome potential location issues.

solution4
 0  2011-04-20 00:49:24

If some one can access your session, he can, probably, access much much more. I would not hash it and also make sure it does not get to the client

solution5
 -2  2012-05-29 11:28:31

I would advise against adding only the user id to the session. For example:

1: Create an account in one browser and log in. Then leave that browser open and go to another computer.

2: Log into the same account and delete it. Now make a new account with a different password (with the same username, if that is used as the id).

3: Go back to your other computer and do stuff. You will find that you could quite possibly now be using the account made on the other computer.

Basically, since the session stores the id this may not necessarily still belong to the same person depending on iff accounts have changed etc. And if no password is required (since you already went though that process when you owned the account) then it is similar to breaking in.

So this seems to only have a chance of working if, when you delete user accounts from the database, numeric ids can be reused (about 2% of the systems I have seen do this). Or if the user id is the username (about 20% I have seen do this).

So I would instead suggest adding the userid and the password hash (ie md5, sha1) to the session and obtain the user information using both of them each time.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Storing USER ID in PHP SESSION PHP not storing session ID PHP - Storing session username or ID preferred? Php resource id was changed after storing in session User decryption/encryption in PHP | storing key in session Php - get current user id to store in a session? PHP - Storing a session in a query every time user loads query Storing user configuration in PHP Session vs accessing it every time PHP storing session data, storing userid in session Session is not storing variables in PHP?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM