Howdy All, I'm programming a site with php and I'm trying to determine if I am using to many session variables. I've read about the evils of session variables vs. the convenience, but I could find any specific numbers on how many concurrent session variables on the web server start to bog it down (I'm speaking generally, I know it will vary with the server specs). I had 4 session variables, but I've whittled it down to just 2: one for the user name and one for the user id. Does anyone have any opinions, experience, or an advice on this? Is 2 still two many? How many sessions does something like vBulletin use? Is using cookies a good alternative to carrying the user authentication as opposed to sessions? Thanks - all replies much appreciated!
Sessions are good, nothings wrong with sessions at all, they are more secure the cookies to be honest. As long as you encrypt the data in your session when you need to like passwords, etc.. etc..or even the user name and do comparisons with another version of it encrypted in the database. You should be fine. Make sure you escape all special characters to be safe though.
You mean hash, not encrypt ... if it were truly encrypted you wouldn't need to compare anything because the equivalent decrypt function would exist.
You do know you can create custom encryptions no one would know how to decrypt unless shown the source of the encrypted script right, or your a pretty damn good hacker? Regardless, it doesn't really matter encrypted/hashed your still not showing the actual value of the session.
function cipher( $string, $key = "thesecretkey") { $key = substr( str_repeat( $key, ceil( strlen( $string ) / strlen( $key ) ) ), 0, strlen( $string ) ); $cipher = array( ); for( $i = 0; $i < strlen( $string ); $i++ ) $cipher[$i] = $string{$i} ^ $key{$i}; return implode( null, $cipher ) ; } PHP: I'm pretty sure there's nothing you can teach me, afterall you can't even be bothered to use the correct terminoligy ... If you're going to give people help then make it decent help, using the correct words, theres a HUGE difference between hashing and encryption ...
Thanks for the answers, I feel better about my 2 session variables per user. If you don't mind, I,m not familiar with hashing a session variable- can you explain a little about it? I did a google search, but did not find too much info on it. Thanks!