Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Opinion on forms -> sessions 1

Status
Not open for further replies.
alfalf

alfalf

Programmer
Joined
Mar 6, 2003
Messages
155
Location
BA
Hello.

I just wanted an (or more) opinions about something with PHP/sessions/security.

I have an registration form. First I developed it, with passing values (to processing PHP script) with post method ($_POST).

Then, paralel with that, I developed small class to handle my sessions with MySQL database, as I need to handle my future user sessions :-).

Then it occured to me that I could also use sessions to pass values through registration forms (registration process). And I made that solution (also added an reg_session database, in order not to mix it with my future user_session database). And I stored those values (from forms) to session data column ($_SESSION). This stuff work all fine and good. Both.

Then, there's fact that I'll have an certificate installed, once I finnish this, and will use SSL protocol/port for secured transmision and perhaps pear to encrypt some data (if I found that necessary).

So now, having in mind that I'll use SSL, what is more secure solution -> to pass values through registration process with $_POST or via session data with $_SESSION (data stored NOT in files but in MySQL database)?
Also, If I pass data with $_SESSION -> I don't have to use hidden fields for saving that data on another form... (e.g. First records form, than I Agree form or something like that).

I asume that session through registration is not uncommon thing. Still, my question remains, what is more secure?

Thanks for any suggestions, opinion or expirience.
 
Sort by date Sort by votes
My take has always been that if you transmit data to the client and back (as in with hidden fields in a form), then it's pretty easy to view the source HTML of the page and tinker with things.

With sessions, the only thing stored on the client side is an index to where the data is stored -- the actual data is on the server. It's possible to tinker with the session cookie's value, but since PHP assigns non-contiguous values to different users' session ids, it is harder to find another session id that will work.

Want the best answers? Ask the best questions: TANSTAAFL!!
 
Upvote 0 Downvote
Thanks! Smart! :-)
 
Upvote 0 Downvote
and if you want to use hidden fields then another option is to use encrypted data

lets say you have a userid with value 4 as an hidden field. then in the usertable also make a userkey. the userkey is for instance encrypted with md5

you can use the userid and concat that with for instance a timestamp or another key. and encrypt that.

in the form you can refer to the userkey instead of the very likely or already know userid's

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

PeDa
  • Locked
  • Question Question
POST Content-lLength of ... bytes exceeds the limit of 8388608 bytes in Unknown on line 0
Replies
4
Views
998
feherke
feherke
ravicoder
  • Locked
  • Question Question
Populating a span based on input field
Replies
0
Views
369
ravicoder
ravicoder
PeDa
  • Locked
  • Question Question
mdash incorrectly rendering on Android phone (but not on PC) <- well not actually!
Replies
5
Views
949
spamjim
spamjim
waubain
  • Locked
  • Question Question
Images not loading on AJAX call
Replies
3
Views
951
southbeach
southbeach
cmayo
  • Locked
  • Question Question
Need contact forms processing recommendation
Replies
3
Views
393
spamjim
spamjim

Part and Inventory Search

Sponsor

Back
Top