3

I am using PHP $_SESSION variables with the login workflow of my website and I just wanted to make some clarifications. Much like Facebook, I want to store a secret code only known by the server which is used to sign each request that is sent to and from the server. My initial approach was to generate a random string and store that inside of a MySQL table, but then I learned about session variables. I know that session variables by default work by using cookies that store session names and id, correct? None of the actual data is stored on the user's computer? So if I wanted to implement:


# assume that $rand_string is not null and a string
session_start();
$_SESSION['secret'] = $rand_string;

there would not be any way for the user to decode the session cookies and determine the actual value of $rand_string, right? Just want to make sure the data is secure, otherwise I will revert back to the less smooth MySQL technique. I just like the thought of the easily accessed and managed session variables.

Improve this question

4 Answers 4

Reset to default
7

Session data is stored server-side.

Cookie data is stored client-side.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

So what exactly do the session cookies store?
Session cookie stores the session id in the client side, so in subsequent requests browser can tell the server which session to use.
2

I would prefer doing the random stuff by generating a guid` function, because it will generate a unique identifier and will be more secure than a simple random:

# assume that $rand_string is not null and a string
session_start();
$_SESSION['secret'] = com_create_guid();

And yes, $_SESSION variables are stored on server side.

Improve this answer

4 Comments

does that uid change every time that script is executed?
Yes, everytime you call it. A new uid is generated, but you can stored the first time you create it (per user) in a $_SESSION var.
sorry to keep asking questions! so, a new guid is created even for the same computer multiple times?
Yes, it's easy to test. Create a simple php with this function and try it.
1

Yes, you are right, the user only knows about the session ID or something similar, just something to identify the session the user corresponds to.

The rest of the data is temporarily stored on the server.

There is no way for the visitor to get hands on the session data unless you have major bugs on your website which i don´t think you do.

Improve this answer

Comments

1

What you say is correct. All data inside $_SESSION is accessible only on the server, but only as long as the session has not timed out.

Nonetheless you should be careful that session IDs which are stored in the cookie can be captured quite easily. See Sessions and Security for details.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.