Skip to content
Advertisement

setting session id variable from sql database; is this safe?

Is it unsafe to use the user_id in my sql table as the session id? is this normally what php developers do?


(source: sockface.com)

Also I’ve tried countless times to store the session id as the user id

in my init_inc

If i have $_SESSION[‘uid’] = 90; it will display test@test.ca info here after you log on

so my question is, is it safe to store the session id as the user_id, and how come when i try to do it, why isn’t it working?

Advertisement

Answer

A couple things:

1.) A session ID should not be a constant value for a particular user. That is a security violation. The session ID should change every once in a while. Ideally, it should be a random value.

2.) It doesn’t look like you are setting the session ID. You are setting the session variable called “uid”.

3.) Did you ever call session_start()?


Despite the fact that I really would not recommend setting a session ID to a constant value, you can set the ID for a session using the session_id() function:

But like I said, this should not be the user’s ID. You can store the user’s ID as session information, and check that when the user loads a page to see if they are logged in.

More information on PHP sessions in the session documentation.

User contributions licensed under: CC BY-SA
9 People found this is helpful
Advertisement