#1
  1. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    May 2004
    Location
    Boston, MA USA
    Posts
    526
    Rep Power
    50

    Session Variables and Security


    Hi:

    I know that on a PHP page, I can dump SESSION variables to the display using:
    var_dump($_SESSION);

    Is there a way to display SESSION variables directly from the browser address bar?

    i.e. How secure are SESSION variables for things like usernames and passwords?

    Thanks
  2. #2
  3. Forgotten Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,209
    Rep Power
    9644
    Values in $_SESSION are not available outside of your server unless you write code (intentionally or not) which exposes them. So it's like a database.

    You can put usernames in there. You can put passwords in there too but there is no good reason to do so.
  4. #3
  5. Banned (not really)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 1999
    Location
    Caro, Michigan
    Posts
    14,741
    Rep Power
    4536
    The "security" of sessions relies on the session ID being "unguessable". But if an attacker gains access to your server and downloads the session files, they won't need to guess the IDs.

    There should be no reason to put a password in the session information.

    -John
    -- Cigars, whiskey and wild, wild women. --
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    May 2004
    Location
    Boston, MA USA
    Posts
    526
    Rep Power
    50
    Thank for the replies.

    Yes, there is no reason so save a password in a SESSION variable. I was using that as an example of the most sensitive information that you would not want compromised.
    Glad to here SESSION variables are secure.

IMN logo majestic logo threadwatch logo seochat tools logo