All geek questions in one place

Setting the session id variable from sql database; it is safe?

Is it dangerous to use user_id in my sql table as a session id? is this usually done by php developers?


(source: sockface.com )

In addition, I have tried countless times to save the session id as user id

include('profile/core/init_inc.php'); $_SESSION['uid'] = $user_id; header("Location: profile/edit_profile.php");

in my init_inc

 function fetch_user_info($uid){ $uid = (int)$uid; $sql = "SELECT 'user_id' AS 'id', 'username', 'user_firstname' AS 'firstname', 'user_lastname' AS 'lastname', 'user_about' AS 'about', 'user_email' AS 'email' FROM 'users' WHERE 'user_id' = {$uid}"; $result = mysql_query($sql); return mysql_fetch_assoc($result);

If I have $ _SESSION ['uid'] = 90; after logging in , information will be displayed here test@test.ca after you log on

so my question is: is it safe to store the session id as user_id, and why, when I try to do this, why doesn't it work?

+4
source share
1 answer

A few things:

1.) Session ID should not be a constant value for a specific user. This is a security breach. Session ID must change every time. Ideally, this should be a random value.

2.) It does not look like you are setting a session id. You set a session variable called "uid".

3.) Have you ever called session_start() ?

Although I really do not recommend setting the session identifier to a constant value, you can set the session ID using the session_id () function:

 $session_id = "some_random_value"; session_id($session_id);

But, as I said, this should not be a user ID. You can save the user ID as session information and check when the user loads the page to see if they are logged in.

 if (isset($_SESSION["user_id"])) { //user is logged in $user_id = $_SESSION["user_id"]; } else { //make user log in $user_id = result_of_login(); $_SESSION["user_id"] = $user_id; }

For more information on PHP sessions, see the documentation.

+2
source

Source: https://habr.com/ru/post/1439510/

More articles:


All Articles