security - PHP - Storing session username or ID preferred? -
i'm wondering, php session, preferred store session variable containing logged in user's id or username?
at moment stores username, whereas id safer because potential "hackers", may not know user id correlates to?
php sessions work giving "opaque" cookie users - is, cookie number, , actual data stored on server. when user sends session cookie, php looks number in table retrieve data you've stored user.
this means impossible, without access server, listening on network figure out session cookie means. need table stored on server. doesn't matter if store id number or username in session: if have enough access see what's in session, username based on id number anyway.
Comments
Post a Comment