Re: [PHP] is it safe to store username and password for mysql connection in session variables?
From: Chris Shiflett (shiflett_at_php.net)
Date: 11/24/03
- Next message: Jay Blanchard: "RE: [PHP] Apache 2.*"
- Previous message: Jay Blanchard: "RE: [PHP] String display issue"
- In reply to: Anders Thoresson: "is it safe to store username and password for mysql connection in session variables?"
- Next in thread: Anders Thoresson: "Re: [PHP] is it safe to store username and password for mysql connection in session variables?"
- Reply: Anders Thoresson: "Re: [PHP] is it safe to store username and password for mysql connection in session variables?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Mon, 24 Nov 2003 08:03:58 -0800 (PST) To: anders thoresson <listor@thoresson.net>, php-general@lists.php.net
--- anders thoresson <listor@thoresson.net> wrote:
> In the ini-files for my php-projects, I store various settings.
> Two of them is username and password for my mysql-connections.
>
> Is it safe to load these two into session variables when a user logs
> in to my application?
For the most part, yes, it is fine. Because session variables are
maintained on the server, many risks are not a concern.
However, there are some things to consider. Where is session data stored?
If you are using the default location /tmp and are on a shared server,
session data is pretty easy to access by others who share your server.
Depending on how the server and PHP is configured, they may be able to
browse your home directory as well, so you might be out of luck. :-)
Some have suggested setting such things in the VirtualHost directive of
Apache, thereby creating environment variables. This might be easier to
hide from others on the server.
If it's a dedicated server, there is much less to worry about.
> What I don't understand, and hence the questions, is wether session
> variables are accessible by my website's visitors, or just to the
> php-scripts on the server.
Session variables, barring a compromise of your server, are only available
to users as you make them available. So, as long as your code never
outputs the value you wish to keep hidden, you'll be fine.
Hope that helps.
Chris
=====
Chris Shiflett - http://shiflett.org/
PHP Security Handbook
Coming mid-2004
HTTP Developer's Handbook
http://httphandbook.org/
RAMP Training Courses
http://www.nyphp.org/ramp
- Next message: Jay Blanchard: "RE: [PHP] Apache 2.*"
- Previous message: Jay Blanchard: "RE: [PHP] String display issue"
- In reply to: Anders Thoresson: "is it safe to store username and password for mysql connection in session variables?"
- Next in thread: Anders Thoresson: "Re: [PHP] is it safe to store username and password for mysql connection in session variables?"
- Reply: Anders Thoresson: "Re: [PHP] is it safe to store username and password for mysql connection in session variables?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
