shaunysj — 2012-07-13T12:53:03-04:00 — #1
Lets say my login.php uses session to store the variables.
I set my session in such way:
$userID is retrieved from the database.
$SESSION['userid'] = $userId;
example user id of 1 logged in will look like this $SESSION['userid']= 1;
will this cause any security problems?(lets not talk about the deep part, does it even secured enough from basic hacking?)
Is there any relation to the session cookie or Id(which can be hijacked based on other websites say)?
Can anyone please kind explain to me? Simply and easy one please ty
wwb_99 — 2012-07-20T07:46:28-04:00 — #2
If you are not running over SSL, it is very easy to hijack a PHP session. So, yes, there are some dangers. If you create a digest hash of a few things then you can guard against that to some extent.
jeet25 — 2012-07-21T04:06:58-04:00 — #3
use md5 hash to encrypt the value and store it
shaunysj — 2012-07-21T04:11:38-04:00 — #4
thanks for the reply guys! So you mean i should $SESSION['userid'] = md5($userId); ?
Will sha1 be a better choice? Since md5 can be easily cracked.
I thought session variable are stored somewhere in the server? There is still chance to hijack it?