Phil <[email protected]…> writes:
I understand that a session is server side, and not externally visible.
For this reason can it be used to store a User class (username/ hashed
Or do I need to check whats in the session against the user table every
time I access a controller?
You’re correct, session data only exists on the server, so it’s safe, so
store whatever is convienient in it for identifying authenticated users.
On the other hand, the way you map users to session data is via a key
stored in a cookie on the client side, and that key is transmitted over
network in the clear (unless you’re using https), so the session key is
possible source of mischief. For example, there are attacks where the
tries to intercept the user’s session key in transit, or off the user’s
and then uses it to masquerade as that user. There are also “session
attacks (see AWDR p. 445-446, and
that you have to watch out for.
If you’re worried about these kinds of attacks there are some simple
can do; for example:
Delete session data (reset_session) when the user logs out, so their
key can’t be used again.
Store the user’s IP address in their session hash; every time invoke a
controller, verify that their current IP address (request.remote_ip)
what the session hash says it should be. This prevents (or at least,
more difficult) for someone who intercepts the key to use it.
Store an expiration date/time in the session; when a controller is
check that the session hasn’t expired; again, this just makes life more
difficult for an attacker.