jalinidy Posted March 18, 2013 Share Posted March 18, 2013 Hello: On page 430 (Chapter 13) in the sidebar titled MORE SECURITY RECOMMENDATIONS it recommends watching how "database references are used." More specifically it mentions that using a table's primary key in a cookie is a security risk. This makes sense, butI'm wondering, is the same true when storing a table's primary key in a session variable? My thinking is that it's okay in a session variable since the session is stored on the server, not in the client's web browser. I believe that in order to alter $_SESSION['userid'], e.g., you would need to have access to the same server - so that you could put in a dummy page that reassigns $_SESSION ['userid'] as one wants - and you would need to know the name of the session variable. If there's a better way to access user data throughout a site other than storing the primary key from the users table in $_SESSION['userid'] (or whatever), I'd love to know what's recommended. Thanks very much! Best, Adam Link to comment Share on other sites More sharing options...
HartleySan Posted March 18, 2013 Share Posted March 18, 2013 You're right in that sessions are generally very secure. The following thread on SO will likely provide some reassurance of that: http://stackoverflow.com/questions/4181872/php-can-a-client-ever-set-session-variables Also, because of the way that DBs are generally organized, the primary ID is quite often the quickest and easiest way to reference a particular record as well as link to other tables. As such, while every DB is different, the primary key for the users table is generally very useful to know. Link to comment Share on other sites More sharing options...
jalinidy Posted March 18, 2013 Author Share Posted March 18, 2013 Thank you very much for the reply! - and the link Best, Adam Link to comment Share on other sites More sharing options...
Recommended Posts