All geek questions in one place

What things should be kept at the SESSION, and what should not be?

I gave one example of why this question appears in my head: Suppose I create a PDOstart class that extends the PDO class. In the "PDOstart" class, all the variables necessary for PDO are defined in a private section (for example, host, user, password and ect). Thus, it is very easy to use the PDO class, for example:

$con = new PDOstart(); $con->query("SELECT ... ");

Since I only use one database on my web page, I'm starting to think, why not add a PDOstart object to SESSION? for example: $_SESSION['db'] = $con; ? Therefore, I do not need to do a “new PODstart” on every page. But I'm not sure this will be a good idea ...

Is there something I should avoid adding to $ _SESSION (for security or performance)?

+4
source share
3 answers

so every time a page loads, you know that it uses browsing, metadata, such as time intervals from page change (Bot detection), local information, user template selection. all that is required for this session.

As you said $con , let me explain something.

There are several type variables in php, and the main ones are:

  • strings
  • boolean's
  • Integer in
  • objects
  • arrays
  • Resources

Now you can store all of them in sessions, except for resources, since there are such things as file descriptors, connections to external objects that open only while the page is being processed by PHP, and then closes.

others are fine, since they are stored in memory and static as such, they will not change unless you programmatically change them.

The main tasks you should keep in your session are

  • GUID So that you can track what the user has registered.
  • Flash data . Therefore, if you redirect, you can display an error message on another page.
  • Browser data so that you can compare that the browser you are currently viewing is the same as the last one, so you can kill a security session.

Things like database data, such as user strings, should not be stored in the session, and you should create a separate caching mechanism for this.

+6
source

You can save your PDOstart class in a session if you remember this:

  • When you execute $ _SESSION ['key'] = $ obj, you are actually serializing the object (assuming that the php session handler is executed by default when the data is reset).
  • When you do this with a “resource”, such as connecting to a database, there is a chance that the connection will not be saved.
  • To get around such cases, php has __sleep and __wakeup magic methods

I would suggest that your PDOstart class will provide a connection to PDO in both __construct and __wakeup, doubling complexity.

However, there is another reason not to do it this way: a session can leave at any time, so you should not rely on any information. Of course, you can set up a protection that will reinitialize everything, but this again adds unnecessary complexity.

There is no golden rule (at least I know) that explicitly states that you should keep as little information as possible in your sessions, but this seems to be a fairly common approach. I would keep the user id and probably access token. There is not much stopping you from doing it differently.

In terms of security, such use should not be of much importance, since the session is generally secure. They were never really, but that's a completely different topic.

Short answer: good things to store - user ID, bad things to store - everything else.

+1
source

In addition to the good RobertPitt response, you really need to add an autoloader if you start storing objects in a session. If the class of your object is not available, you will get a standard broken object if you do not have an autoload mechanism for loading classes.

Then, depending on how your session is stored, you must be careful about the size that they take. let's say you store it on a very fast disk or in memcached service, you don’t have to worry too much about this file being read for every request of your user. If you have slow input on your hard drive, be careful. Now, if you store your session in a database, you can take care of the insert / update / delete rhythm in the session table, some databases (think of MySQL) are not very rich when handling high write load in one table.

In terms of security, you don’t have to worry too much about session storage like on a server. At least if you (the administrator) use disk storage, you must make sure that all processed applications do not use the same directory to store the session, if no weaker application determines your level of security for the sessions.

0
source

Source: https://habr.com/ru/post/1335065/

More articles:


All Articles