1

It is correct use $_SESSION for save data to the login system on my web pages? I have read which session data is stored on the server side. Therefore my client will be safe when did the login on my web site on the page which use the session to save data?

UPDATE

My knowledge don't very large about PHP and my English it's still to be improved. But I have read a book which talk about $_SESSION, to build a form. So I thought, will the forms be built with array $_SESSION? (This is a array, right?)

Edgar Oliveira
  • 323
  • 1
  • 2
  • 8
  • Hi, welcome to SO. Please be precise with what you are asking. This is not the kind of question which will be answered here. I can help you with this topic because I had this problem/question as well. But you need to be more specific. What do you want to save where do you want to save infos, what is the purpose, which requirements do you have, what have you tried so far and so on :) – JRsz Jan 27 '16 at 11:51
  • #JRsz the update is it good for you? – Edgar Oliveira Jan 27 '16 at 12:03
  • There are a lot of login-form examples with PHP and SESSION. Have you read them and tried them out? – etalon11 Jan 27 '16 at 12:11
  • @etalon11 No, I have read about SESSION on the book about PHP and MySQL. On this book the example use the SESSION to the build form. But, how should I use SESSION for the login-form? – Edgar Oliveira Jan 27 '16 at 12:14

4 Answers4

0

You shouldn't store user credentials (username and password) in the session, and here is why Is it secure to store a password in a session?

Other than that, please elaborate on what exactly do you want to store in the session?

Community
  • 1
  • 1
Mahmoud Tantawy
  • 713
  • 5
  • 12
0

You can save whatever you want inside the $_SESSION variable.

But you should never save user credentials (if you do not hash it)!

The client (browser) only saves the cookie, referencing the $_SESSION Object (php handles this for you), so no data will be sent to the client and therefore is secure.

Mijago
  • 1,569
  • 15
  • 18
  • Ok, then I use the cookie to save user credentials? Then $_SESSION Object is safe to that, but are cookie more good? – Edgar Oliveira Jan 27 '16 at 12:02
  • No! The cookie is set automatic from the Server. **You** just use the `$_SESSION` Object to store information and do not touch the cookie for this case. – Mijago Jan 27 '16 at 12:36
0

You can save any kind on data into a session, you will need to initiate the session first by using session_start() function before throwing any output to the client, After that you can save any data in session something like,

$_SESSION['login'] = 'saurabh@example.com';

to access this session data you just need to start the session first and then just call the session global variable with the appropriate key. See the reference below

To create a session

session_start();
$_SESSION['login'] = 'saurabh@example.com';

To access a session data

session_start();
echo $_SESSION['login'];

That's it

codersrb
  • 140
  • 1
  • 12
0

The $_SESSION is a global array in PHP which is always present, if you have called session_start() at the beginning of each file. It is indeed an array and it can store anything you tell it to, like if somebody is logged in:

$_SESSION["isLoggedIn"] = 1;

It makes sense to store some variables in this array, but information like passwordhashes or passwords should NOT be saved in this array. They should in general not be saved anywhere except slated and hashed inside a database.

I do not see what this has to do with forms, but if you have a form there is no need to use this session array. Maybe if the form varies depending on some user specific information. Saving user specific information for each user inside this array is actually what it is supposed to be.

"So I thought, will the forms be built with array " - I do not understand what you mean by this. $_SESSION stores information and does not create forms...

EDIT: If you want a user to log in and to stay logged in each time he makes a new request to your server (until he logs out or the session expires) you should definitely use the $_SESSION superglobal array. It is said to be pretty secure (if you use it properly of course).

JRsz
  • 2,891
  • 4
  • 28
  • 44