PHP user sessions

I'm bit confused. I've been building my sites with my own session system, but i'm not sure how secure the php's own session system is. My session syste开发者_StackOverflow社区m usually just has user id and quite harsh hash, which does not include user name or password for generation. I save the hash in the user database and as a cookie to confirm the user session on every page load. So my question is can i trust php sessions or keep using my own?

PHP saves a unique session id in a cookie, and all values related to the session in it's own text file on the server. You have to get the session id to steal the session, which means you have to steal the session cookie from the victim's computer. PHP's own system is at least as safe as your homebuilt system

The difference may be how hard it is to find an active session by brute force. That is entirely up to the hashing algorithm and the random number generator.

You can configure PHP to use different hashing algorithms or you could even use your own algorithm to create the session ids for PHP's session system if you don't trust PHP to do it properly.

Storing data in cookies versus using PHP's sessions is very different. Cookies store data on the client-side; sessions store data server-side, which has a number of benefits:

• The user can't see it
• The user can't modify it
• The browser doesn't need to send the data to the server with every request

Normally PHP sessions do store the session key as a cookie (although they don't have to), but none of the data you actually care about is ever sent to the user, it's stored on the server and looked up using the session key

i'm not sure how secure the php's own session system is

And the rest of the world is not sure how secure your's is. A lot of people have looked at the session handler in PHP and not found any flaws in implementation. Its also well characterizied and integrated but supports the notion of user defined handlers.

I'd recommend using the standard session code - but you might want to write your own handler functions.

C.