Re: To session or not to session

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

mailings@xxxxxxxxxxxxxxxx wrote:
> Hi all
>
> I have been doing all my design by using POST to transfer user data and GET
> for user changeable variables.
>
> I would like to know what you guys think of using SESSION in production sites.

SESSION is "A Good Thing".

>
> Right now I am giving a trust factor of 80% to POST and 0% on GET.  What trust
> factor should I apply to SESSION

Why?  Because it's more convenient (easier) to forge GET requests than
it is to forge POST requests?  Either route can get malicious code sent
your way if you aren't careful, but given that most people are lazy then
yes POST is less likely to be malformed.

How much would I trust SESSION data?  Probably about the same as POST.
It's not as likely as GET to be abused, but it's still likely to happen.

>
> Should I implement a SESSIONless feature in case SESSION is not available?

First of all, SESSION availability mostly depends on php.ini settings
(it is enabled by default with PHP core).  So for example if you are
requiring COOKIES instead of allowing GET then you will run into some
users that just don't accept cookies.  And, you won't be able to use
SESSION with those users.

If your SESSION infrastructure is a required part of using your site
(e.g. it holds customer information) then you should require all users
to start SESSIONs.  But if the SESSION is storing non-essential
information (e.g. tracking web traffic through your site) then you might
just allow the user to browse without starting a session.

In any case, if you really want I suppose that you could propagate a
SESSION id with hidden POST inputs instead of using COOKIE / GET.

>
> I know the way to php.net for documentation but I'd like advice/opnions of
> real people.
>
> Thanks
>
> Andy Pieters
>


--
Teach a man to fish...

NEW? | http://www.catb.org/~esr/faqs/smart-questions.html
STFA | http://marc.theaimsgroup.com/?l=php-general&w=2
STFM | http://php.net/manual/en/index.php
STFW | http://www.google.com/search?q=php
LAZY |
http://mycroft.mozdev.org/download.html?name=PHP&submitform=Find+search+plugins

Attachment: signature.asc
Description: OpenPGP digital signature

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux