Are php sessions secure enough for a multi-user system

Question

Are php sessions secure enough for a multi-user system

I am creating a system with several tenants (first time). I am a little worried about this system, because all user details for the application will be stored in one table in the database. When the user logs in, I plan to set the $_SESSION variable containing their clientid and use it to access all their information (all information in the database will have a clientid column).

I see this as the only solution for working with multi-user systems with PHP and MySQL. Is it safe enough? or I have to choose separate databases for each client. I am worried that if a client can change its $_SESSION['clientid'] , say, from “12” to “45”, this means that they will have access to other data.

Is there a better way? Or is this the only way to solve the problem of access to data (PHP and MySQL) in a multi-user system?

+4

php session

cantaffordretail Jan 6 '13 at 4:01

source share

1 answer

Alix axel · Accepted Answer · 2013-01-06T04:26:47+0000

PHP tracks who is who using sessions, which in turn use cookies to identify server data.

Session cookie is similar to

 PHPSESSID=0f0f0f0f0f0f0f0f0f... (32 hexits, usually)

Session data is stored on the server side, so the user will not be able (easily *) to change their clientid to someone else. I speak easily, because the user can try to adjust the PHPSESSID value and access another server session (but this should take a long time).

You can also use other tactics, such as XSS exploits , to discover other server sessions.

You can search StackOverflow for more information:

To be safe, make sure that you do not output user input without prior sanitation (using HTMLPurifier or htmlspecialchars() ) and call session_regenerate_id() whenever you log in / log out or escalate user privileges.

Are php sessions secure enough for a multi-user system

More articles: