Re: [PHP] is it safe to store username and password for mysql connection in session variables?
--- anders thoresson [EMAIL PROTECTED] wrote: In the ini-files for my php-projects, I store various settings. Two of them is username and password for my mysql-connections. Is it safe to load these two into session variables when a user logs in to my application? For the most part, yes, it is fine. Because session variables are maintained on the server, many risks are not a concern. However, there are some things to consider. Where is session data stored? If you are using the default location /tmp and are on a shared server, session data is pretty easy to access by others who share your server. Depending on how the server and PHP is configured, they may be able to browse your home directory as well, so you might be out of luck. :-) Some have suggested setting such things in the VirtualHost directive of Apache, thereby creating environment variables. This might be easier to hide from others on the server. If it's a dedicated server, there is much less to worry about. What I don't understand, and hence the questions, is wether session variables are accessible by my website's visitors, or just to the php-scripts on the server. Session variables, barring a compromise of your server, are only available to users as you make them available. So, as long as your code never outputs the value you wish to keep hidden, you'll be fine. Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is it safe to store username and password for mysql connection in session variables?
For the most part, yes, it is fine. Because session variables are maintained on the server, many risks are not a concern. Ok. So it's more or less safe, at least as long as the server is locked down. But someone, on this list or somewhere else, I don't remember, pointed out that if my site gets a lot of visitors, loading username, password and hostname for MySQL-connections in session variables causes a lot of overhead. So: What's the best way - in terms of security AND performance - to store and access username, password and hostname for my MySQL connections? PHP Security Handbook Coming mid-2004 Nice. From which publisher? -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is it safe to store username and password for mysql connection in session variables?
--- anders thoresson [EMAIL PROTECTED] wrote: For the most part, yes, it is fine. Because session variables are maintained on the server, many risks are not a concern. Ok. So it's more or less safe, at least as long as the server is locked down. But someone, on this list or somewhere else, I don't remember, pointed out that if my site gets a lot of visitors, loading username, password and hostname for MySQL-connections in session variables causes a lot of overhead. I'm not sure that I agree with this (I'm not positive that it's wrong either, but I find it hard to believe). If you're already using sessions, and PHP is already fetching session data from the session data store for each visit, it seems like a negligible amount of overhead to me to have a bit more stored in the session. Perhaps they were speaking about storing this information in cookies (which would make a larger performance difference in addition to creating a security vulnerability)? So: What's the best way - in terms of security AND performance - to store and access username, password and hostname for my MySQL connections? David Sklar and Adam Trachtenberg (two smart guys who authored the PHP Cookbook) suggest storing this information in the Web server's environment. So, for Apache users, you would have something in httpd.conf (or a .access file) that sets variables for your database connection information. As long as you don't have any phpinfo() calls hanging around exposing the environment variables to anyone who loads the page, this seems pretty secure to me. It also seems like a very efficient method. You might want to consider it. PHP Security Handbook Coming mid-2004 Nice. From which publisher? O'Reilly and Associates. :-) Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is it safe to store username and password for mysql connection in session variables?
David Sklar and Adam Trachtenberg (two smart guys who authored the PHP Cookbook) suggest storing this information in the Web server's environment. Guess we are talking about recipe 8.20 and 8.21? I'm on a SunOS shared server. Should I add SetEnv DB_PASS password to the .htaccess file in my public_html dir and then access it as $_ENV['DB_PASS']? What should the access rights to .htaccess be? -rw--- or something else? -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is it safe to store username and password for mysql connection in session variables?
On Tuesday, November 25, 2003, at 06:25 AM, anders thoresson wrote:
For the most part, yes, it is fine. Because session variables are
maintained on the server, many risks are not a concern.
Ok. So it's more or less safe, at least as long as the server is
locked down. But someone, on this list or somewhere else, I don't
remember, pointed out that if my site gets a lot of visitors, loading
username, password and hostname for MySQL-connections in session
variables causes a lot of overhead.
Actually, I said it didn't make sense. Logically, I see NO REASON why
MySQL connection information (something common to all users of the
site) would be stored multiple times (once for each user) as a session
variable. Yes, it's a lot of overhead, but that wasn't my point... it
just doesn't make sense.
Additionally,
- if you were to periodically change your passwords (a good idea), all
current sessions would have invalid connection info.
- if you've slipped up somewhere and accidently dump your session data
to screen (a print_r() debug for example), you'll make those details
very public, very quick
- if a user can't maintain a session (no cookies for example), they
can't access the databases
So: What's the best way - in terms of security AND performance - to
store and access username, password and hostname for my MySQL
connections?
?
include('protected/directory/mysql_connect.inc');
?
Simple.
Is it the fastest? Is it the most secure? No idea -- but it makes a
truckload more sense that storing it in a session. MySQL connection
information has nothing to do with each individual user.
Justin French
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] is it safe to store username and password for mysql connection in session variables?
Hi, In the ini-files for my php-projects, I store various settings. Two of them is username and password for my mysql-connections. Is it safe to load these two into session variables when a user logs in to my application? Or is it better to access the ini-file each time a mysql-connection is needed? What I don't understand, and hence the questions, is wether session variables are accessible by my website's visitors, or just to the php-scripts on the server. -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is it safe to store username and password for mysql connection in session variables?
On Monday, November 24, 2003, at 01:54 AM, anders thoresson wrote: Is it safe to load these two into session variables when a user logs in to my application? Or is it better to access the ini-file each time a mysql-connection is needed? I include the file with unames and passwords as needed. I believe session information should be used for storing user-specific data. If you have 100 sessions open on the server, that's 100 copies of your MySQL username and password being stored as session data -- it just doesn't make sense. What I don't understand, and hence the questions, is wether session variables are accessible by my website's visitors, or just to the php-scripts on the server. Session variables are stored on the server, and are only made visible to the user if you choose to do so. In theory, this should alleviate your concerns, but the catch is how well you build your scripts... for example, you might have put a print_r($_SESSION) somewhere in your script for debugging purposes, which would spew the entire contents of their session onto the screen -- this is obviously bad. So, IMHO, that's two reasons why your MySQL u/p details shouldn't be in the session :) Justin French -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
