4

I'm working on a client library to interface with my company's api, and we generate a user ticket when the user logs in using the api.

Obviously I don't want to send the user ticket to the client for resubmission on subsequent requests - is it (relatively) safe for me to cache this value in $_SESSION for later calls?

Improve this question
2
  • 1
    Highly depends on the implementation. $_SESSION is build around the session cookie (by default) and that's what you should protect first. Tell us a bit more on how you would approach this, as is there isn't enough info for a good answer. Commented Feb 8, 2012 at 16:54
  • Heh as I've been fleshing out the documentation this morning I realized that this is mostly an academic question; the only place I'm using it is in my simplified sample code, which won't be used in production. That said, my practice if I were consuming the library in production would be to mark the cookies HTTPOnly and Secure. Depending on the usage I potentially use some header comparison to reject hijacked sessions. What am I missing? Commented Feb 8, 2012 at 17:57

1 Answer 1

Reset to default
2

I don't see why it wouldn't be. The biggest consideration that I can see is you don't want your data being clobbered by the other code that is using the session. My common practice in this instance is to create a session key of __{$company_name} and store all of my bits there. This drastically reduces the chance that some other code will nuke my session variables.

Improve this answer
0

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.