Why is it good save to save sessions in the database?

PhpPerformanceCodeigniterSessionSecurity

Php Problem Overview

I have seen that codeigniter have facility to save session values in database.
It says saving session in database is good security practice.

But I think saving session information in the database helps improve performance.
They save only a few elements of the session, such as:

CREATE TABLE IF NOT EXISTS  'ci_sessions' (
  session_id varchar(40) DEFAULT '0' NOT NULL,
  ip_address varchar(16) DEFAULT '0' NOT NULL,
  user_agent varchar(50) NOT NULL,
  last_activity int(10) unsigned DEFAULT 0 NOT NULL,
  user_data text NOT NULL,
  PRIMARY KEY (session_id)
);

But if a site uses more session variables such as username, last log in time, etc, I can save them in database and use them in the program.

Do I have to add these columns to the same table? I think saving session information in the database only helps reduce web servers' memory usage (RAM). Can anybody explain in what sense does it improve security.

Php Solutions

Solution 1 - Php

It doesn't improve security in any way.

The most common and reasonable pattern to store sessions in database is when you have several frontend servers, so you need a shared session storage for them.

For downvoters: a file in filesystem isn't less secured than a record in database.

Solution 2 - Php

The idea is that sessions can't be hijacked.

A session ID is stored in a cookie. If a hacker can steal that ID, he can pretend to be someone else, because a session is identified by... it's ID.

By saving a user's session ID, IP and agent server-side (your database for example) you can compare the data saved in the database with the client. If a hacker steals someone's session ID, the hacker just might not have a matching IP and/or user-agent, making the users not match which allows you to show or hide certain content.

You have to compare the data manually though.

Solution 3 - Php

A common security faux-pas with file-based sessions is to store them in /tmp or another shared directory where the data may be accessible to 3rd parties; especially on shared hosts this can be a problem. This can be prevented with proper file permissions though.

Storing them in a database means you have all the access restrictions of the database in place, though that also means you need to configure them correctly and set up the physical storage of the database securely.

It improves performance insofar as the database server has more layers to improve performance through caching and in-memory storage, whereas file based sessions always incur a disk access. Concurrent access can be improved since you can choose other concurrency mechanisms than file locking. If your database server is already busy with regular database work though, additionally throwing session handling at it may or may not be a good idea.

Solution 4 - Php

You don't mention if you use PHP or MYSQL, but saving your session in a database does not give you better performance, in fact quite the opposite.

The default file based session in PHP is much faster than retrieving session values from the database, however you won't really notice the difference until you're processing hundreds of queries per second.

Solution 5 - Php

This is to answer: can I save them in the database and utilize them in the program?

Yes, you can save them in the database,but there is no need to create a separate column for that. It goes into the userdata column.

You can set the username with $this->session->set_userdata('sessionname',session value);

You can retrieve it with $var=$this->session->userdata('sessionname');

Solution 6 - Php

  • The application needs to be able to run on multiple servers without server affinity (methods that direct requests from the same client to the same server). An easy way to make sure that sessions continue to work properly is to store sessions in a central database that is common to all servers.

  • The application needs to be able to run on a shared host, where there are significant security concerns associated with storing session data in the filesystem.

  • The performance needs of the application are very demanding and require a more sophisticated storage solution for session data. There are many existing ideas and methodologies that address database performance issues, and these can be used when sessions are stored in a database.

Reference

Chris, S (2004, 14 Dec). Storing Sessions in a Database. Chris Shiflett Blog. https://shiflett.org/articles/storing-sessions-in-a-database

Categories
Recommended Php Solutions
Recommended Performance Solutions
Recommended Codeigniter Solutions
Recommended Session Solutions
Recommended Security Solutions

Previous Solution:

Is Mongodb Aggregation framework faster than map/reduce?

PerformanceMongodbMapreduceAggregation Framework

Next Solution:

Register comdlg32.dll gets Regsvr32: DllRegisterServer entry point was not found

WindowsDllRegsvr32Common DialogComdlg32

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionkiriappaView Question on Stackoverflow
Solution 1 - PhpzerkmsView Answer on Stackoverflow
Solution 2 - PhpTim S.View Answer on Stackoverflow
Solution 3 - PhpdecezeView Answer on Stackoverflow
Solution 4 - PhpVincentView Answer on Stackoverflow
Solution 5 - PhpGanesh RJView Answer on Stackoverflow
Solution 6 - PhpNikunj K.View Answer on Stackoverflow