kiriappa kiriappa - 1 month ago 8
PHP Question

Why is it good save to save sessions in the database?

I have seen that codeigniter have facility to save session values in database.

It says saving session in database is good security practice.

But I think saving session in database helps to improve performance.

They save only few elements of the session, such as

CREATE TABLE IF NOT EXISTS 'ci_sessions' (
session_id varchar(40) DEFAULT '0' NOT NULL,
ip_address varchar(16) DEFAULT '0' NOT NULL,
user_agent varchar(50) NOT NULL,
last_activity int(10) unsigned DEFAULT 0 NOT NULL,
user_data text NOT NULL,
PRIMARY KEY (session_id)
);


But if a site use more session variable such as username, last logging time, etc, can I save them in database and use them in the program.

If yes, do I have to add these coloum to same table?

I think saving session in database helps only to reduce web servers's memory usage (RAM).

And can anybody explain in what sense it does improve security.

Answer

It doesn't improve security in any way.

The most common and reasonable pattern to store sessions in database is when you have several frontend servers, so you need a shared session storage for them.

For downvoters: a file in filesystem isn't less secured than a record in database.

Comments