are the &quot;session vars&quot; risky?

are the "session vars" risky?

tamayo

Hi, I'm coding an app using LAMP, at this moment several importants data are stored in "session vars - $_SESSION-" such as: current user, target data to use in search function, id of some items, etc; and I was wondering if the use of these kind of session vars could be dangerous to my app, specially in security reasons, like XSS, sniffers and some other hacking techniques, so, my question is:

the use of session vars is a bad coding practice?, are they safe?, the tunning of apache server helps to decarease the risk?

regards

NogDog

Much of your answer depends on your web hosting and how you implement them. Sessions can be quite secure if you follow some precautionary techniques. However, shared hosting environments add some problems in that there exists the possibility that other accounts on that host might be able to read your session data. Some of this risk can be mitigated via a number of methods, including using the database to store session data instead of the file system. But realistically, if security is important to your site, then you should not be on a shared host in the first place.

Anyway, for more info, take a look at the session-related articles on Chris Shifflet's "Articles" page, or consider buying his book, Essentional PHP Security.