2

I have a $_SESSION var which stores simple, easily callable identifying information when a user is logged in. Even when a user is not logged in, it logs the last file visited (in case a user logs in, to return quickly to that page).

User Logged in

$_SESSION[$userid,$username,$first_name,$lastPage];

User Not Logged in

$_SESSION[$lastPage];

My chief concerns are security and ease of understanding for future programmers.

So are any of these options viable, or am I missing an option which is more secure, and very easy to understand for programmers?

  1. Use the $_SESSION var, and access it in classes.
  2. Use a sessionWrapper class to mimic the values in $_SESSION.
  3. Keep only a unique identifier, and perhaps lastPage in the $_SESSION var. Create a sessionWrapper class that pulls the pertinent information from the database if this unique identifier is given.

Am I missing something here? As I write this I lean closer to option 3 but really appreciate any feedback about best practices here.

Improve this question
6
  • 1
    It's an array, you need to use $_SESSION['variable'] = …. Commented Dec 10, 2013 at 14:26
  • 4
    $_SESSION['loggedIn'] = true ? Curious about session security? Go nuts owasp.org/index.php/Session_Management_Cheat_Sheet. PHP specific owasp.org/index.php/… Commented Dec 10, 2013 at 14:27
  • Thanks @MarcelKorpel - I have a working SESSION structure right now. Not wondering how to establish sessions, I just put this together to better explain what is in them now. If you have a better way to visually represent them here (symbolically), I will edit. Commented Dec 10, 2013 at 14:29
  • Option 3 is basically re-writing sessions. You've described the lifecycle of a php session. Pull the session identifier from the request, retrieve the session from storage (you say db, files are the default), and populate the session var. A session wrapper is good for DI.. but I'd assume you're no where near unit testing so far. Commented Dec 10, 2013 at 14:31
  • @MarcelKorpel it is you who does not understand. He already knows how to work in php, what he wrote is a swmbolic representation of what his array contains. Stop pestering :| Commented Dec 10, 2013 at 14:44

1 Answer 1

Reset to default
1

Have you thought of using cookies for the last_page info? I'm assuming you do not have to keep everything in $_SESSION. OK, now for the meatball. If safety is a concern, then $_SESSION is ok but not the best. The problem could boil down to:

  • how much security do you need
  • how much are you willing to complicate things for the next-gen maintainers

High security: PHP sessions are saved to accessible files on the server by default, you could mitigate this by having a nicely encapsulated database inside your app. As long as it's a very simple encapsulating class then you're good to go. Your option 3 is the a good solution.

Low security: If you're not willing to put down the KLOCs for your personal $_SESSION implementation, I think you could keep relevant info safe as you have it now, and choose cookies for less important info: last_page is something that is associated to a user but does not identify it, so keep them separated.

  • Option 1 for small proyects
  • Option 2 for large proyects (I use this method with some convenient and SIMPLE wrapper classes)

From my point of view you are not missing anything, you just have to take a decision and stick with it

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Sure, I'd bet you have an idea already, but if you need any more help, please feel free to ask

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.