|
yawa-ti-de (f)
|
I will take it that the last 2 or so posts, after nitation's apology, crossed yet again. Nitation has apologized, xanadu has accepted, and kolitos is yet to acknowledge (though it is safe to say, he will have no problems accepting the apology either). There is too much global warming going on for us to add to it by blowing off steam on this here thread  Let's move on. Thanks |
|
|
|
|
|
xanadu
|
Thanks, @Yawa-ti-de.
|
|
|
|
|
|
Tech Pros (m)
|
for me, i believe there is no reason why everything must be stored in a db when there are ways of securing sessions stored in a file. i will ask you all must the file reside in the tmp folder and how is storing sessions in file not secure cos over the years have been privilege to work on large applications which i most times prefer to store in a file and base on my knowledge in security, am sure its safe. nitation, never run oo come back depend urself  |
|
|
|
|
|
nitation (m)
|
Since Xanadu opened the way for you! Rain all your claims on me throughout the months. I will be glad to read them. Or you want me to say sorry to you too techpros. Since that is your opinion about storing sessions, so be it.
Less I forget, Xanadu, you haven't commented on the topic itself. What would you prescribe as the best method?
- nitation
|
|
|
|
|
|
kolitos007
|
@ Xanadu
I would like to thank you for your comments, it is nice the way you put @nitation in the place he needs to be, thank God, I accept his apologies too, I have nothing against the guy we should all be able to leave comments on this forum and also encourge new people to do so too, not scare people away.
@ Tech Pros
This is what I am saying, but I was told that I don't know about it because I have not handled big projects before, so I thought it was best for me not to say too much, but am glad someone else shares my views on this.
It would be nice one day to be able to come on this forum and ask or talk to people about your opinions without be belittled.
Thanks
|
|
|
|
|
|
nitation (m)
|
You are mixing things up here. I didn't say sorry to you because my comments were wrong! I need you to get that straight. I said Sorry about how you understood it. They are two different things.
On one belittled unless you are feeling inferior.
This topic really shows how many people I am a threat to. Keep on coming
- nitation
|
|
|
|
|
|
Tech Pros (m)
|
@nitation
abeg stop this, lets get back to the topic at hand. dede mi ra wo
@kolitos
i dont see anything bad in nitation's statement and i think u gave the right reply. seriously i see no reason why you should think you are being belittled
this topic is interesting and important, pls lets get back to the topic at hand. where Dhtml ? sey u go let them spoil this topic for you?
|
|
|
|
|
|
lightwalk (m)
|
I think it is much better to save it on the database
|
|
|
|
|
|
webdezzi (m)
|
i think it is unsafe to save session in DB (my views lest i get slaughtered)
1. i know saving in DB will affect perfomance, especially when users grow
2. a simple sql injection will make the database readable, even if the attacker cant upload a file to server
3. i just think so, because my instinct thinks so.
and i heard of peeps working on large database applications,
please i need help on making this decision.
1. do you think it is a nice idea to open connection to a database, fetch/insert/update the database, and close the connection
or
2. open the connection and keep it opened for as long as the application is on, while queries are being executed when needed, that way, the connection will be opened once and closed once.
It seems cool to go for option 1 but i notice the application is noticeable slower when i open and close up to 20 connections for users logging in alone. not to talk of users using the main features of the app.
|
|
|
|
|
|
lightwalk (m)
|
Maybe you should get a network security ebook.  |
|
|
|
|
|
biggjoe (m)
|
hehe, Mate, we already know what he his like lol, without knowing who is talking to, he just always assumes, I just listen to the guy he his the master hehe
I ve been there before. |
|
|
|
|
|
nitation (m)
|
Where have you been? that it took you six months to fix a line of code in dream-weaver and you dont expect anyone to comment? common contribute to the topic and stop filling the database with crap
- nitation
|
|
|
|
|
|
kolitos007
|
i think it is unsafe to save session in DB (my views lest i get slaughtered)
1. i know saving in DB will affect perfomance, especially when users grow
2. a simple sql injection will make the database readable, even if the attacker cant upload a file to server
3. i just think so, because my instinct thinks so.
and i heard of peeps working on large database applications,
please i need help on making this decision.
1. do you think it is a nice idea to open connection to a database, fetch/insert/update the database, and close the connection
or
2. open the connection and keep it opened for as long as the application is on, while queries are being executed when needed, that way, the connection will be opened once and closed once.
It seems cool to go for option 1 but i notice the application is noticeable slower when i open and close up to 20 connections for users logging in alone. not to talk of users using the main features of the app.
Webdezzi, you have made some valid points here, yeah there are security issues no matter what you do, I have a mate that uses encryption to store data, in files, with the decryption key given to the user. His system runs really fast and I think that is a great idea, I do my own system that way anyway, but every one has a different way of working. So i still stand by my point have storing sessions in files than in the database. I should think if you are dealing with a large application, you can always open connection at start and close at end, or use persistent connection, I hate persistent connection, I think it has a great security issues, thats just my view. I am sure others will think other wise. |
|
|
|
|
|
Afam (m)
|
Hmm,
@topic,
I see nothing wrong in storing sessions any where you want to store them as long as appropriate security issues are well sorted out. There are large applications using database to store them just as there are applications out there using files to do same.
There is no perfect security either way. We only try to secure as much as we can.
@issues concerning belittling, insults, harassment etc,
From experience, insults should not be tolerated and rather than store them up in one's mind the person who feels insulted should reply in kind, complain to the moderators or forget about it.
There is no perfect way of responding to insults as what works for Mr A may not work for Mr B.
While I will never insult anyone for having a different view or opinion on anything I will always respond to insults in kind and on time too.
If people cannot agree on basic issues even on a forum where members may never know the people behind the usernames then it will be a waste of time expecting Nigerians to work together considering the issue of ethnicity, religion, tribe etc.
|
|
|
|
|
|
kolitos007
|
Well said @Afam, I think you hit the nail on the head there, its al based on preference no matter what you doing, either way storing in files or in db, will still give you the same result.
And nice one on your other comments, well said.
|
|
|
|
|
|
biggjoe (m)
|
Where have you been? that it took you six months to fix a line of code in dream-weaver and you dont expect anyone to comment? common contribute to the topic and stop filling the database with crap
- nitation
If I have contributed how will you know when you are busy throwing insults at other people. |
|
|
|
|
|
*dhtml
|
I berra watch my head. . .
|
|
|
|
|
|
kehers (m)
|
Too bad I missed out on an interesting topic like this  Ok, to start with, I'd go for file storage for session storage due to scalability. Storing in db actually rocks for alot of reasons. For one, you have easy access to session data, can easily kill/manipulate sessions, count visitors online, blah blah blah, but then comes the big cross - scalability. Developers that have handled big sites will understand better. Database resources are costly (in terms of memory and CPU) and where ever possible, it is better to limit this. Saving sessions in db consumes a minimum of 2 db access (one for initial data read, and the other for data write at session end) per page per user, and this does not scale well especially if the pages performs other db activities. But really, there is nothing u can achieve with storing sessions in db that u cant achieve wt storing in file. If u know of one, let it out. And if u must go the db way, I think it is better to use a different db server (like sqllite) so that if anything happens to d db, other non-session data are still safe. |
|
|
|
|
|
quadrillio (m)
|
I can't believe I missed dis, anyway comment is neva too late
1, so far from projects handled, I think where u store it is not d problem but how u do it, reason is becos I have done more of saving it in a file than in a db, and I still feel safe either ways.
jus to chip dis in, we webmaters should try not to attack each other here cos:
1, it not a competition, so no one will recieve an award as d best here.
2, Young Web Developers are looking at us, we don't need to make them believe dat attacking a fellow developer is d way to be d best
3, Sharing is d best way to learn. (that's d way I learnt all my life, BY SHARING KNOWLEDGE WITH OTHERS)
SAFE
|
|
|
|
|
|
*dhtml
|
SQL injections webezzi can be blocked. and there is also the issue of flood protection and means to protect against session hijacking. But of course nothing is foolproof. but from my own experience, i think it is better to store sessions in dbase
|
|
|
|
|
|
lojik (m)
|
I almost missed out on this sha.
I store in db and i dont feel sql injection is a problem. that can always b taken care of. Lets just say its more of how you do it than where u do it. I've neva even thought of using file but i'm ok storing session data in db. Just my style.
|
|
|
|
|
|
hostmot (f)
|
Actually, storing your sessions in the database is much safer and guarantees faster access when you have so many users (the same way its faster to store and retrieve data in the database rather than flat files). That said, if you have your own vps or dedicated server, you don't need to worry about where your sessions are stored. Its your own box; your own flat. If you are on a shared server, storing your sessions in a db adds an extra layer of security as it is harder for the other people on your server to access your db rather than the temp folder where all your sessions are stored along with theirs (C'mon, y'all are using a single php installation and it will put everything there). BTW, the topic is confusing in a way. Session management and session hijacking have no "versus" relationship whatsoever. Olawunmi, Hostmot Sales Rep. ( www.hostmot.com). |
|
|
|
|
|
*dhtml
|
If you have a dedicated server and store session in files. A third party application can still hijack your session.
Well, sessions can be stored anywhere you like, even on the client file system, i will leave that aspect open.
ok, so let us move to session hijacking, which is the real topic. Here we are going to be talking about the various
ways of how to steal session data over the internet and how to prevent some of these attacks. I am feeling rather
hungry. . . . .to be continued!
|
|
|
|
|
|
hostmot (f)
|
If you are on a dedicated server and a third party still manages to hijack your sessions through your scripts, then you should read the "essential php security" book. Olawunmi Sales Rep., Hostmot ( www.hostmot.com) |
|
|
|
|
|
![Nairaland [Nigerian Forum] Home](http://www.nairaland.com/Themes/default/images/english/home.gif)
Poll
Author
