Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why is it good save to save sessions in the database?

Tags:

performance

security

php

session

codeigniter

I have seen that codeigniter have facility to save session values in database.
It says saving session in database is good security practice.

But I think saving session information in the database helps improve performance.
They save only a few elements of the session, such as:

CREATE TABLE IF NOT EXISTS  'ci_sessions' (
  session_id varchar(40) DEFAULT '0' NOT NULL,
  ip_address varchar(16) DEFAULT '0' NOT NULL,
  user_agent varchar(50) NOT NULL,
  last_activity int(10) unsigned DEFAULT 0 NOT NULL,
  user_data text NOT NULL,
  PRIMARY KEY (session_id)
);

But if a site uses more session variables such as username, last log in time, etc, I can save them in database and use them in the program.

Do I have to add these columns to the same table? I think saving session information in the database only helps reduce web servers' memory usage (RAM). Can anybody explain in what sense does it improve security.

like image 898
kiriappa Avatar asked Dec 17 '12 09:12

kiriappa

People also ask

Why do we store sessions in database?

To avoid the potential problem of an attacker using JavaScript to modify a cookie that affect session data, you can store the session data in a database that you create. Then, the session data is passed back and forth between the application and that database.

How should sessions be stored?

Structure of a session The session can be stored on the server, or on the client. If it's on the client, it will be stored by the browser, most likely in cookies and if it is stored on the server, the session ids are created and managed by the server.

What are database sessions?

A database session represents an application's dialog with a relational database. This chapter is a comprehensive reference for database sessions in TopLink. It describes the fundamental concepts required to connect to the database and to perform queries as well as optional and advanced session and query properties.

Where are session IDs stored?

Session identifiers can be stored in cookies, localStorage, and sessionStorage. Session identifiers can be sent back to the server via cookies, URL params, hidden form fields or a custom header. Additionally, a server can accept session identifiers by multiple means.

4 Answers

It doesn't improve security in any way.

The most common and reasonable pattern to store sessions in database is when you have several frontend servers, so you need a shared session storage for them.

For downvoters: a file in filesystem isn't less secured than a record in database.

like image 61
zerkms Avatar answered Oct 08 '22 06:10

zerkms

The idea is that sessions can't be hijacked.

A session ID is stored in a cookie. If a hacker can steal that ID, he can pretend to be someone else, because a session is identified by... it's ID.

By saving a user's session ID, IP and agent server-side (your database for example) you can compare the data saved in the database with the client. If a hacker steals someone's session ID, the hacker just might not have a matching IP and/or user-agent, making the users not match which allows you to show or hide certain content.

You have to compare the data manually though.

like image 26
Tim S. Avatar answered Oct 08 '22 08:10

Tim S.

A common security faux-pas with file-based sessions is to store them in /tmp or another shared directory where the data may be accessible to 3rd parties; especially on shared hosts this can be a problem. This can be prevented with proper file permissions though.

Storing them in a database means you have all the access restrictions of the database in place, though that also means you need to configure them correctly and set up the physical storage of the database securely.

It improves performance insofar as the database server has more layers to improve performance through caching and in-memory storage, whereas file based sessions always incur a disk access. Concurrent access can be improved since you can choose other concurrency mechanisms than file locking. If your database server is already busy with regular database work though, additionally throwing session handling at it may or may not be a good idea.

like image 9
deceze Avatar answered Oct 08 '22 08:10

deceze

You don't mention if you use PHP or MYSQL, but saving your session in a database does not give you better performance, in fact quite the opposite.

The default file based session in PHP is much faster than retrieving session values from the database, however you won't really notice the difference until you're processing hundreds of queries per second.

like image 5
Vincent Avatar answered Oct 08 '22 07:10

Vincent
Sign in to Comment

Related questions

Get the string after a string from a string
Detect if any kind of IE (MSIE) [duplicate]
Void as return type
New reCaptcha with jQuery Validation Plugin
How to redirect to another page using PHP
Laravel 5.4 redirection to custom url after login
PHP - Get array value with a numeric index
What's the best way to get the fractional part of a float in PHP?
How to generate in PHP all combinations of items in multiple arrays
How do you strip out the domain name from a URL in php?
C#'s null coalescing operator (??) in PHP
Send array with Ajax to PHP script
How can I get PHP to produce a backtrace upon errors?
PHP: maximum execution time when importing .SQL data file
What is the difference between <> and != [duplicate]
Relative path not working in cron PHP script
Serializing and submitting a form with jQuery and PHP
CakePHP: Find where field is not null
Laravel preg_match(): No ending delimiter '/' found
php array_push() -> How not to push if the array already contains the value

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!