2

Basically this is what I am doing:

Im using PHPXMLRPC to communicate with Odoo.

In essence to communicate for every request I need to send over needs to follow this structure:

//The database I wish to connect too
$msg->addParam(new xmlrpcval($this->dbname, "string"));

//The logged in user id
$msg->addParam(new xmlrpcval($this->userID, "int"));

//The logged in users password
$msg->addParam(new xmlrpcval($this->password, "string"));

//The model
$msg->addParam(new xmlrpcval("project.project", "string"));

//The method Im requesting to call
$msg->addParam(new xmlrpcval("read", "string")); 

//Query parameters
$msg->addParam(new xmlrpcval($id_list, "array")); 
$msg->addParam(new xmlrpcval($field_list, "array"));

Now I have written a class which in its constructor sets the instance variables to that of the values passed into its constructor i.e

class PHPClient{
   private $userName;
   private $password;
   private $dbname;
   private $server_url;
   private $userID;



public function __construct($server_url, $database, $user, $password)
{
    $this->server_url = $server_url;
    $this->dbname = $database;
    $this->userName = $user;
    $this->password = $password;
    $this->userID = False;


}

There are occasions where I wish to use the same object again somewhere else down the line, perhaps in another page. Instead of asking the user to effectively "login" again and enter all their details again and then having to create another object would it be safe enough to serialize the PHPClient object and store in a session then in any other pages where I require use of that object in order to verify that the user is logged in and has sufficient permission, then deserialize the object to carry out any further RPC requests?

mjsey
  • 1,938
  • 5
  • 18
  • 28

2 Answers2

5

You can safely serialize across requests. You can even safely put user input into data and then serialize it.

However, never unserialize data that the user can possibly modify. For example, never unserialize a cookie or form payload, or anything that another server sends you.

So yes, it's perfectly safe to serialize to store data in a session.

ircmaxell
  • 163,128
  • 34
  • 264
  • 314
  • So its still save even though the object contains a password? Albeit being a private variable? – mjsey Apr 22 '15 at 14:09
  • @mjsey safe from what? – ircmaxell Apr 22 '15 at 14:10
  • Safe from the hands of a malicious user i.e to modify it ? – mjsey Apr 22 '15 at 14:15
  • @mjsey what malicious user? One on the internet (a remote attacker)? Then yes, it is safe. One on the server (a local attacker)? Depends on permissions and your server. – ircmaxell Apr 22 '15 at 14:17
  • Yeah a remote one, sorry. That is good to know so as long as passing an serialized object with connection parameters from page to page is considered to be safe practice. – mjsey Apr 22 '15 at 14:20
2

I'm assuming that you are discussing storing objects in the %_SESSION variable. This variable is stored on the server so it is only modifiable from the server. So the session is as secure as your server is. If users can login to your server or cause your server to behave incorrectly via an application bug, the session isn't very secure. Otherwise, it's probably good enough.

To specifically answer

How secure is PHP object serialization

Serialization isn't secure at all. It is an encoding, not encryption, of the data. Anyone can deserialize, modify, and re-serialize the objects. So serialization adds no security. If the session isn't secure enough for you then you need to add additional security.

Neil Smithline
  • 1,526
  • 9
  • 21