I'm writing a project where after registration I save id
of ea开发者_Go百科ch client in session
.
As I know, session
stores data on server side, so it seems to be secured. But I've seen many times when session variables stored in hashed form.
So, why do they do it?
Thanks much
In most cases the contents of $_SESSION is safe. I have looked at a lot of applications and I haven't seen this practice of hashing arbitrary data. Sometimes values like CSRF tokens are stored and often times these are hash'ed values. PHP generates the session id (cookie value) using a hash function, but this is just a random number. It maybe possible for an attacker to access the session files usually stored in /tmp/. This can be done with SQL Injection using MySQL's load_file()
or using directory traversal. Sometimes it is possible to access other user's session information in a shared hosting environment. Most developers do not take this attack into consideration.
Using a hash isn't always security related. One of the original uses of hashing was to create a quasi-unique fingerprint for a file so you can ensure it is really the file you wanted to have. If you want to store some big chunk of data in a session, but lateron only need to compare to it, never know the exact content, hashing may save you space on your hard drive and time performing the compare operation.
精彩评论