I am making a PHP browser-based game, and have a question: I am needing to track quite a few pieces of data about a logged in player, and I need to know whether it is better to just hold them all in session variables from page-to-page, or should I only hold the player name and then re-query for the rest of the player's data per page. I would assume it should be the former, but a few example games I have downloaded have used the second method, and I am not sure why. Are there any problems or security issues with session variables? I know that only the session ID is stored client-side through a cookie, so there shouldn't be any issue with players being able to alter them, right? I would love to avoid all those extra MySQL queries for each player per page if possible. Thanks!

Quote:Original post by Koobazaur
Well one of the possible scenarios you need to think is, what if a player logs out, logs in from another computer or clears his cookies? If you save to DB, all his data will be preserved, but if you keep saving it in the session, it will be lost.

It's not so much a question of "which one is better" but rather "which one suits my current needs." If you can't decide on one, you're either not taking in consideration all the possible cases (like I outlined above) OR it honestly doesn't matter.

Ohh, sorry, I should have mentioned that I do have it currently set to write to the db everytime anything changes, so the player can log out, erase the cookie, etc., and all they have to do is log back in to get it all back. I was just trying to avoid the read query at the top of every single page if I could.

I do believe you have answered my question, since there was nothing like "OMG! Don't use session variables like that! It's not secure!" lol. I have definitely wanted to use session variables for almost all of the player data to limit the db hits a bit (I definitely think that would suit my current needs, since it is for a game that needs as much performance and speed as possible), but I started second-guessing myself by looking at other people's code (I know, a bad practice when you are pretty sure you have a handle on everything already).

Thank you very much :)

Sessions can be un-secure if you don't know how to use them properly, as can cookies. Bear it in mind!

Quote:Original post by soitsthateasy
Sessions can be un-secure if you don't know how to use them properly, as can cookies. Bear it in mind!

I have read some into session security. From what I have read, using the command to store the session IDs as cookies and also using SSL on your site can make them much more secure. Anything else I should look in to?

And thanks :)

I'm not sure if you're using them, but cookies can be un-secure.
This example isn't in context but you get the idea:

You have a CMS with 2 types of users; User and Admin. In the login box, you login, (surprise, surprise!) and a cookie is made using the login details.
You're logged in as a User and you notice a cookie saying "admin=no". You think to yourself, "hmmm, I want to be an Admin!" and you go and change the admin cookie to yes. Simple as that, you have an admin account!

People always make websites but never think about security. I think that security should be the most important!