how reliable is session in PHP

I am working on an ajax application just wondering how much reliable sessions are in terms of security.

Can I rely on session as User Identification and let them change they are password without asking开发者_如何学Go for current password?

1. Just dont save sensitive data in sessions. They are also not very reliable in terms of "existence" ;)
2. Dont let anybody change a password without providing the current one. Imagine you just leave your computer and somebody change the password "for you".

I am not sure what you mean by how much reliable sessions are in term of security.

But, regarding your other question, I would never allow a user to change his/her password without providing current one. The reason is simple: if I sit down on a computer with an authenticated session, I will be able to change password without actually owning that account.

Sessions are stored server-side, so they are as secure as possible. That said, there is still the chance that someone will steal the unique session key for your site which then would give them full access to the user's account, but that is just the issue with storing stuff client-side.

You could do the second thing, but you could always do that even without a session ... so I'm not sure where you are going with that. Putting in the current password is just for additional security measures / verification.

Session uses a cookie. That cookie is vulnerable to all cookie-based attacks. Including firesheep style attacks.

You can change how PHP does cookies to only send them over SSL (Https). That helps, but doesn't prevent an attack that has access to that same machine from gaining access.

It is always a good idea to re-authenticate on password replacement. Just like you should never show a user their whole credit-card number, or SSN.

Passwords shoud be always encoded so I not see why you have to store it in session password is reqired only one time when you logging to the page and then save some info in session saying user is signed maybe userid..