Ive been using sessions for my website login but dont actually seem to be able to get my head round the data and content of it!

For example ... if im using a session that holds the username of the member which is used to indetify and check access and who is logged in then what do we need to do with that username data as surely it isnt secure from hackers gaining access if it is in text form?????

Ive heard alot passwords should not be stored in them which I havent done but I am worried by having a simply username session isnt going to protect my members area or the members account area.

Is it worth setting multiple sessions with say the DOB/Username/and a random number that is saved into the database to identify the user????

What should I be setting in my session and what is the chance if I only use the username that someone will be able to hack it or at least gain access from pretending to be the authenticated session?


Hope this makes sense? lol


Session data holds whatever you want it to.

Client side, there's only a random token that can be "stolen" by hackers. Server side, while it's possible for them to steal your session data if they can break into the server you've probably got more to worry about. For example, they could read your php.ini file, or your config file and obtain the mySQL username and password. They they've got access to pretty much everything!

Normally you don't need to store the password. In fact, usually you'd only store the id of the row of the user. That's enough to identify the user, and for you to query the database for information based on that id number.

The super global $_SESSION is used to store session data that you need. For example, normally all you'd need to store is something like this:

$_SESSION["id_of_user"] = 123;

and when you need to query the database for information about the user, you'd refer back to that variable.

$sql = "SELECT * FROM users WHERE id = ".mysql_real_escape_string($_SESSION["id_of_user"]);

use session if you want a certain value to propagate throughout the page. Like user id. Session are are usually used to store id of user so that the system can track and identify the user accessing the page.