I’m developing some additional functionality for a client’s website that uses the email address as a key lookup variable between various databases (email marketing system, internal prospect database, and a third shared DB that helps bridge the gap between the two).
I’m concerned that storing a visitor’s email address as a $_SESSION variable could lead to security issues (not so much for our site, but for the visitor).
Anybody have suggestions or experience on whether this is okay to do, or if there’s another alternative out there?
It is important to understand the difference between how
$_SESSIONvariables are stored and how cookies are used to retrieve it. All data in the session is stored on the server (in/tmpby default, I believe), and persisted between requests. No session data is stored directly in a cookie by default.However, PHP will store a cookie with a unique id that identifies your user with a particular session (hence how the same information can be retrieved over different requests).
If the cookie with the session id is compromised, another user can impersonate someone with that session. This includes authenticated sessions, where a user has already logged in. If this happens, chances are you’ll likely have bigger problems than exposing an email address.
It wouldn’t be a bad idea to use some kind of user id in your session, as opposed to the email address. However there are a number of other, probably more useful, ways to add security to your session.
See this question: PHP Session Security