What bit is more secure?
function login_customer($customer_details) {
//Set a cookie to login the customer
setcookie("Str_CUST_LOGIN", 1, time()+3600);
setcookie("Str_CUST_EMAIL", $customer_details['customers_email']);
setcookie("Str_CUST_ID", $customer_details['customers_id']);
//Update the cart
return true;
}
or is this below. The script uses IF ELSE statements. Nightmare application for old client.
function login_customer($customer_details) {
//Set a cookie to login the customer
$str_HA_CUST_LOGIN="1";
// the customer details var gets info from a mysql escape form
// so mysql /xss is stopped
$str_HA_CUST_EMAIL=$customer_details['customers_email'];
$str_HA_CUST_ID=$customer_details['customers_id'];
$_SESSION["loggedIn"]=$str_HA_CUST_LOGIN;
$_SESSION["userEmail"]=$str_HA_CUST_EMAIL;
$_SESSION["userID"]=$str_HA_CUST_ID;
return true;
}
I am trying to improve it and lock sessions down. Not done any Salt, MD5 based sessions strings yet as I was thinking of a database session - only issue here is MySQL is so overloaded we had to make a master and cluster load balancer on cloud servers. 200+ average orders per second on a quite day. So I want sessions??
Cookies can be easily forged and tampered by a client. So if an attacker knows what cookies the application expects, he/she can forge the cookies or alter the cookie values at his/her will.
In your case it would probably be possible to authenticate as a arbitrary customer solely on the basis of knowledge of the customer ID (and/or the e-mail address).
The problem with this is that you mix up identification (‘Who is the user?’) and authorization (‘Can he/she prove it’s really him/her?’). Because both an ID and an e-mail address are used for identification as they are both unique and some kind of public (i. e. not just known to you) and thus not qualified for authentication. So don’t use identification information for authentication as well.
Now if you think I’ll just put the password in a cookie as well that would fulfill the authentication aspect, don’t do that either. Because there are attacks where an attacker can read the contents of a cookie (e. g. Cross-Site Scripting) and thus would be able to obtain the authentication data.
Use the session container instead to store the sensible information on the server side. But with sessions you still need to be aware of session related attacks like Session Hijacking or Session Fixation.
Cookies and their data are sent over the wire on EVERY request to the page. If you're embedding site-critical data in the cookies, it will be trivial to mangle/steal that data while the page requests is "in flight".
Sessions, by comparison, store all data on the server. The only thing that goes between the client and the server is the session's ID token. Stealing the session token allows an attacker to assume the victim's identity, but then they don't gain any more abilities than the user had already.
e.g. If you're sending out a cookie has_super_user_powers=false, then don't be surprised when someone hacks the cookie to make it true instead. Saving that flag in the session makes it unchangeable by the remote user, as the value never leaves your server in the first place.
Both can be stolen, but the value of cookies can be read. Sessions can contain more information.
Both are equally as safe, but to properly use cookies you'll have to spend a little bit more time.
If you're just starting with session management, just use sessions.
-edit-
Actually, technically cookies are more secure than sessions are. Since sessions are based on cookies they can only be as secure as cookies are, and almost always less secure than that. However, unless you have a very good implementation, sessions will be safer for you.
Depends on what kind of information you store in those cookies. But Sessions in general are more secure than cookies. Since cookies reside on the clients machine, while sessions are on your server.
If your server is already overloaded, better not use a database based session. Either use file based sessions (default per PHP) or the data you want to store is irrelevant, feel free to use cookies instead.
Related
I have several questions about SESSIONS and COOKIES, I read in internet and all people recommend use SESSIONS (for security) but.. Not is same save the ID login in one session (phpsessid) that save in one cookie?
I tested this:
I copied my PHPSESSID ID (cookie) from my login account from a website
( in chrome) and insert my PHPSESSID (cookie) in another browser (in
opera) with VPN and I can access in this account.
What is the security here? if anyone can guess or hijack my cookie PHPSESSID ID is same if I use a Cookie to saving the login id, or not?
My question is.. Dont is more secure use a secure cookie ID like in wordpress, encrypting ID and checking in DB the IP and USER_AGENT ?
Now, I using this:
I create a random ID and save in one cookie (when the user login is success)
And check if this ID exist in the DB, check if the IP (saved in DB) and USER_AGENT (saved in DB) is equal. if not, login another time
Anyone can me guide a little? Thx you for read.
You should ask yourself this: "How easy is it to guess the randomly generated random id?".
If your answer to this question is "very easy" you should make it harder to guess. Use a UUID or some other form of securely random ID.
If you answer is "quite hard" you should not have to worry about this. The only attack vector you are offering is to be able to guess a randomly generated id.
You can read more about "guessing the PHPSESSID" here.
In general it should not be necessary to check the IPs of the user (as a side note, you open up yourself to all the stuff in the GDPR by doing this) or their User-Agent as both things might change during the sessions lifetime.
The key point about sessions is that they are a server-side storage. In other words, your program writes whatever it sees fit and it reads back exactly what it wrote before because information cannot be tampered by clients as it happens with cookies. Additionally, the information remains hidden to client's eyes so it can store confidential or just internal uninteresting information. Last but not least, a PHP session allows to store most data types supported by PHP. A cookie can only store plain text.
The weak link in sessions is that HTTP is a stateless protocol so the client needs to identify itself on every request (unlike it happens in other network protocols as FTP, SSH or SMTP). Earlier implementations would transmit the session ID in the URL itself. It was later improved to only use cookies and cookies can be configured to be restricted to encrypted connections. But, yes, if something intercepts your HTTP traffic and finds out your session ID he can easily impersonate you because most sites don't care about implementing further checks. However, that's why HTTPS is encouraged nowadays.
I started using PHP a couple of months ago. For the sake of creating a login system for my website, I read about cookies and sessions and their differences (cookies are stored in the user's browser and sessions on the server).
At that time, I preferred cookies (and who does not like cookies?!) and just said: "who cares? I don't have any good deal with storing it in my server", so, I went ahead and used cookies for my bachelor graduation project.
However, after doing the big part of my app, I heard that for the particular case of storing user's ID, sessions are more appropriate. So I started thinking about what would I say if the jury asks me why have you used cookies instead of sessions? I have just that reason (that I do not need to store internally information about the user). Is that enough as a reason? or it's more than that?
Could you please tell me about advantages/disadvantages of using cookies for keeping User's ID?
The concept is storing persistent data across page loads for a web visitor. Cookies store it directly on the client. Sessions use a cookie as a key of sorts, to associate with the data that is stored on the server side.
It is preferred to use sessions because the actual values are hidden from the client, and you control when the data expires and becomes invalid. If it was all based on cookies, a user (or hacker) could manipulate their cookie data and then play requests to your site.
Edit: I don't think there is any advantage to using cookies, other than simplicity. Look at it this way... Does the user have any reason to know their ID#? Typically I would say no, the user has no need for this information. Giving out information should be limited on a need to know basis. What if the user changes his cookie to have a different ID, how will your application respond? It's a security risk.
Before sessions were all the rage, I basically had my own implementation. I stored a unique cookie value on the client, and stored my persistent data in the database along with that cookie value. Then on page requests I matched up those values and had my persistent data without letting the client control what that was.
Basic ideas to distinguish between those two.
Session:
UID is stored on server (i.e. server-side)
Safer (because of 1)
Expiration can not be set, session variables will be expired when users close the browser. (nowadays it is stored for 24 minutes as default in php)
Cookies:
UID is stored on web-browser (i.e. client-side)
Not very safe, since hackers can reach and get your information (because of 1)
Expiration can be set (see setcookies() for more information)
Session is preferred when you need to store short-term information/values, such as variables for calculating, measuring, querying etc.
Cookies is preferred when you need to store long-term information/values, such as user's account (so that even when they shutdown the computer for 2 days, their account will still be logged in). I can't think of many examples for cookies since it isn't adopted in most of the situations.
SESSIONS ENDS WHEN USER CLOSES THEIR BROWSER,
COOKIES END DEPENDING ON THE LIFETIME YOU SET FOR IT. SO THEY CAN LAST FOR YEARS
This is the major difference in your choice,
If you want the id to be remembered for long time, then you need to use cookies; otherwise if you just want the website to recognize the user for this visit only then sessions is the way to go.
Sessions are stored in a file your php server will generate. To remember which file is for which user, php will also set a cookie on the user's browser that holds this session file id so in their next visit php will read this file and reload the session.
Now php by default clears sessions every interval, and also naming convention of session make it auto expire. Also, browsers will not keep the cookie that holds the session id once the browser is closed or the history is cleared.
It's important to note that nowadays browsers also support another kind of storage engines such as LocalStorage, SessionStorage, and other webdb engines that javascript code can use to save data to your computer to remember you. If you open the javascript console inside Facebook, for example, and type "localStorage" you will see all the variables Facebook uses to remember you without cookies.
Short answer
Rules ordered by priority:
Rule 1. Never trust user input : cookies are not safe. Use sessions for sensitive data.
Rule 2. If persistent data must remain when the user closes the browser, use cookies.
Rule 3. If persistent data does not have to remain when the user closes the browser, use sessions.
Rule 4. Read the detailed answer!
Source : https://www.lucidar.me/en/web-dev/sessions-or-cookies/
Detailed answer
Cookies
Cookies are stored on the client side (in the visitor's browser).
Cookies are not safe: it's quite easy to read and write cookie contents.
When using cookies, you have to notify visitors according to european laws (GDPR).
Expiration can be set, but user or browser can change it.
Users (or browser) can (be set to) decline the use of cookies.
Sessions
Sessions are stored on the server side.
Sessions use cookies (see below).
Sessions are safer than cookies, but not invulnarable.
Expiration is set in server configuration (php.ini for example).
Default expiration time is 24 minutes or when the browser is closed.
Expiration is reset when the user refreshes or loads a new page.
Users (or browser) can (be set to) decline the use of cookies, therefore sessions.
Legally, you also have to notify visitors for the cookie, but the lack of precedent is not clear yet.
The appropriate choice
Sessions use a cookie! Session data is stored on the server side, but a UID is stored on client side in a cookie. It allows the server to match a given user with the right session data. UID is protected and hard to hack, but not invulnarable. For sensitive actions (changing email or resetting password), do not rely on sessions neither cookies : ask for the user password to confirm the action.
Sensitive data should never be stored in cookies (emails, encrypted passwords, personal data ...). Keep in mind the data are stored on a foreign computer, and if the computer is not private (classroom or public computers) someone else can potentially read the cookies content.
Remember-me data must be stored in cookies, otherwise data will be lost when the user closes the browser. However, don't save password or user personal data in the 'remember-me' cookie. Store user data in database and link this data with an encrypted pair of ID / key stored in a cookie.
After considering the previous recommandations, the following question is finally what helps you choosing between cookies and sessions:
Must persistent data remain when the user closes the browser ?
If the answer is yes, use cookies.
If the answer is no, use sessions.
when you save the #ID as the cookie to recognize logged in users, you actually are showing data to users that is not related to them. In addition, if a third party tries to set random IDs as cookie data in their browser, they will be able to convince the server that they are a user while they actually are not. That's a lack of security.
You have used cookies, and as you said you have already completed most of the project. besides cookie has the privilege of remaining for a long time, while sessions end more quickly. So sessions are not suitable in this case. In reality many famous and popular websites and services use cookie and you can stay logged-in for a long time. But how can you use their method to create a safer log-in process?
here's the idea: you can help the way you use cookies: If you use random keys instead of IDs to recognize logged-in users, first, you don't leak your primary data to random users, and second, If you consider the Random key large enough, It will be harder for anyone to guess a key or create a random one. for example you can save a 40 length key like this in User's browser:
"KUYTYRFU7987gJHFJ543JHBJHCF5645UYTUYJH54657jguthfn"
and it will be less likely for anyone to create the exact key and pretend to be someone else.
Actually, session and cookies are not always separate things. Often, but not always, session uses cookies.
There are some good answers to your question in these other questions here. Since your question is specifically about saving the user's IDU (or ID), I don't think it is quite a duplicate of those other questions, but their answers should help you.
cookies vs session
Cache VS Session VS cookies?
What is the difference between a Session and a Cookie?
TL;DR
Criteria / factors
Sessions
Cookies
Epoch (start of existence)
Created BEFORE an HTTP response
Created AFTER an HTTP response
Availability during the first HTTP request
YES
NO
Availability during the succeeding HTTP requests
YES
YES
Ultimate control for the data and expiration
Server administrator
End-user
Default expiration
Expires earlier than cookies
Lasts longer than sessions
Server costs
Memory
Memory
Network costs
None
Unnecessary extra bytes
Browser costs
None
Memory
Security
Difficult to hijack
Easy to hijack
Deprecation
None
Now discouraged in favor of the JavaScript "Web Storage"
Details
Advantages and disadvantages are subjective. They can result in a dichotomy (an advantage for some, but considered disadvantage for others). Instead, I laid out above the factors that can help you decide which one to pick.
Existence during the first HTTP request-and-response
Let's just say you are a server-side person who wants to process both the session and cookie. The first HTTP handshake will go like so:
Browser prepares the HTTP request -- SESSIONS: not available; COOKIES: not available
Browser sends the HTTP request
Server receives the HTTP request
Server processes the HTTP request -- SESSIONS: existed; COOKIES: cast
Server sends the HTTP response
Browser receives the HTTP response
Browser processes the HTTP response -- SESSIONS: not available; COOKIES: existed
In step 1, the browser have no idea of the contents of both sessions and cookies.
In step 4, the server can have the opportunity to set the values of the session and cookies.
Availability during the succeeding HTTP requests-and-responses
Browser prepares the HTTP request -- SESSIONS: not available; COOKIES: available
Browser sends the HTTP request
Server receives the HTTP request
Server processes the HTTP request -- SESSIONS: available; COOKIES: available
Server sends the HTTP response
Browser receives the HTTP response
Browser processes the HTTP response -- SESSIONS: not available; COOKIES: available
Payload
Let's say in a single web page you are loading 20 resources hosted by example.com, those 20 resources will carry extra bytes of information about the cookies. Even if it's just a resource request for CSS or a JPG image, it would still carry cookies in their headers on the way to the server. Should an HTTP request to a JPG resource carry a bunch of unnecessary cookies?
Deprecation
There is no replacement for sessions. For cookies, there are many other options in storing data in the browser rather than the old school cookies.
Storing of user data
Session is safer for storing user data because it can not be modified by the end-user and can only be set on the server-side. Cookies on the other hand can be hijacked because they are just stored on the browser.
I personally use both cookies and session.
Cookies only used when user click on "remember me" checkbox. and also cookies are encrypted and data only decrypt on the server. If anyone tries to edit cookies our decrypter able to detect it and refuse the request.
I have seen so many sites where login info are stored in cookies, anyone can just simply change the user's id and username in cookies to access anyone account.
Thanks,
Sessions allow you to store away individual pieces of information just like with cookies, but the data gets stored on the server instead of the client.
Session and Cookie are not a same.
A session is used to store the information from the web pages. Normally web pages don’t have any memories to store these information. But using we can save the necessary information.
But Cookie is used to identifying the users. Using cookie we can store the data’s. It is a small part of data which will store in user web browser. So whenever user browse next time browser send back the cookie data information to server for getting the previous activities.
Credits : Session and Cookie
I will select Session, first of all session is more secure then cookies, cookies is client site data and session is server site data.
Cookies is used to identify a user, because it is small pieces of code that is embedded my server with user computer browser. On the other hand Session help you to secure you identity because web server don’t know who you are because HTTP address changes the state 192.168.0.1 to 765487cf34ert8ded…..or something else numbers with the help of GET and POST methods. Session stores data of user in unique ID session that even user ID can’t match with each other. Session stores single user information in all pages of one application.
Cookies expire is set with the help of setcookies() whereas session expire is not set it is expire when user turn off browsers.
Cookies and Sessions are used to store information. Cookies are only stored on the client-side machine, while sessions get stored on the client as well as a server.
Session
A session creates a file in a temporary directory on the server where registered session variables and their values are stored. This data will be available to all pages on the site during that visit.
A session ends when the user closes the browser or after leaving the site, the server will terminate the session after a predetermined period of time, commonly 30 minutes duration.
Cookies
Cookies are text files stored on the client computer and they are kept of use tracking purposes. The server script sends a set of cookies to the browser. For example name, age, or identification number, etc. The browser stores this information on a local machine for future use.
When the next time the browser sends any request to the web server then it sends those cookies information to the server and the server uses that information to identify the user.
As others said, Sessions are clever and has more advantage of hiding the information from the client.
But Cookie still has at least one advantage, you can access your Cookies from Javascript(For example ngCookies). With PHP session you can't access it anywhere outside PHP script.
A session is a group of information on the server that is associated with the cookie information. If you're using PHP you can check the session. save _ path location and actually "see sessions".
A cookie is a snippet of data sent to and returned from clients. Cookies are often used to facilitate sessions since it tells the server which client handled which session. There are other ways to do this (query string magic etc) but cookies are likely most common for this.
See the illustration to compare differences b/w Cookies and Session.
I'm very much stuck with the reasonable secure approach to implement 'Remember me' feature in a login system. Here's my approach so far, Please advice me if it makes sense and is reasonably secure:
Logging:
User provides email and password to login (both are valid).. Get the user_id from DB Table Users by comparing provided email
Generate 2 random numbers hashed strings: key1, key2 and store in cookies. In DB Table COOKIES, store key1, key2 along with user_id.
To Check login:
If key1 and key2 both cookies exist, validate both keys in DB Table COOKIES (if a row with key1, and key2 exists, user is logged).
if cookie is valid, regenrate key2 and update it in cookie and also database.
Why re-genrating key:
Because if someone steals cookie and login with that cookie, it will be working only until the real user login. When the real user will login, the stolen cookie will become invalid. Right?
Why do I need 2 keys:
Because if i store user_id and single key in cookie and database, and the user want to remember the password on another browser, or computer, then the new key will be updated in database, so the user's cookie in earlier browser/PC will become invalid. User wont be able to remember password on more than one place.
Thanks for your opinions.
Consider this: How does adding a second cookie make it any more difficult for someone who can steal arbitrary cookies to log in as that user?
It doesn't. You have to tie it to something that the user can provide, but it can't be the same thing. If you can tie it to IP address, great. If not, consider hashing the user agent + user id using that first key as an HMAC or something. I'm still in the process of trying to design a secure login system myself, so I can tell you what definitely doesn't work--and this is one of those things.
Your scheme is based around cookie theft paranoia. There are really only three ways to steal cookies:
Man-in-the-middle attacks.
Cross-site Scripting or similar vulnerabilities that let arbitrary code run in the security context of your site.
Physical access to the machine with the browser.
We'll also classify malware as physical for our purposes.
Let's not worry about physical security. If a user loses control of his machine, he's going to have plenty more problems than worrying about your website!
Let's also not worry about XSS, blindly assuming that you're already doing all you can to prevent it.
That leaves MITM attacks.
One of the best (read: only) protections you can get against MITM attacks is SSL. If you are truly worried about MITM, you should be serving your entire site over SSL.
You don't need two of your own cookies. You just need the session cookie and a Remember Me cookie, which, by the way, you can simply store in a many-to-one table. This prevents the forced one-to-one relationship between users and Remember Mes.
Jay - this is the same thread as yesterday:
PHP login security
The answer is still the same, which is to say that SSL is the only way to ensure people can't sniff your plain text cookies. If you make a judgement call that you are willing to accept the risk that cookies might be intercepted, then your approach is fine (but more complex than necessary).
Assuming you've already concluded SSL isn't the approach you are going to work with, I'm not sure what benefit you think having two separate cookies provides over just a single cookie.
Don't tie to IP Address. This will render your website useless to any group of people sitting behind a NAT (or in a lot of cases aol).
Multiple cookies are only really helpful when one cookie is a prerequisite to receive the other.
In the case that the website requires a login, a secured session cookie can be generated and assigned and is then regenerated on subsequent page loads (it's impossible to perform session fixation against a site that doesn't keep the same session state identifier through the session).
In the case the website now prompts a user through some sort of checkout process, maybe you want to implement the second cookie as a secure token that is somehow linked to the first cookie. Both cookies become a prerequisite to transact through the site making it difficult to fixate.
Lastly, you'll probably want to do this linking in the $_SESSION super global. Doing this in the database can become quite costly if your website does any reasonable amount of traffic. That means each time a users session needs to be manipulated or started or stopped it requires a database connection and any number of queries/deletes/inserts/updates. This is not scalable.
How do you guys store login information?
Probably, store logged status at session. And username at cookies. But what are the safest practices to protect such crucial information, from falling into wrong hands.
Do not store the username in a cookie if you use it for identification. Because cookies are a client side storage and can be manipulated. Store it in the session instead that is a server side storage.
Normally, when authentication was successful, you store the user identification information in the session and only pass the session ID to the client. With that the user information stays protected on the server side.
Store the username as well in a session variable. Sessions are stored on the server, with only an identification number in a cookie.
If you need to protect the session number as well, encrypt the HTTP connection using HTTPS/SSL. This will however require you to buy a SSL certificate from an approved issuer.
If you're storing login information you need to take steps to avoid session hijacking. Store the session id in your database along with things like the users IP and browser useragent string and check that things match each time.
If you're storing passwords too then look at hashing them first - usually with some basic obfuscation like salting them first to avoid rainbow table attacks.
Store the user ID in a session variable; if you need to cache stuff like permission level, store that there too. Store the session ID in a cookie; use HttpOnly. If security/privacy is very important, use SSL for everything (and use an SSL-only cookie; also, have a look at the Strict-Transport-Security header, soon to be usable in Firefox). Otherwise, it is preferable to send at least the login through SSL. (Unfortunately, SSL requires a certificate from a provider trusted by mainstream browsers, which might be expensive to obtain.) Make sure a new session is started at login to prevent session fixation.
Use a salted hash to store passwords; preferably something slow like Blowfish, or SHA-256 repeated a few thousand times. (If you need your code to be extremely portable or run on old versions of PHP, MD5/SHA1 is fine too, but it will make ignorant people complain that you are using a hash that has been "broken".)
I have a login script that verifies a username/password against data in a 'user' table. Furthermore, I have a 'roles' table that specifies the access level of a given user. Assuming I am using safe login scripts, are there any security holes in simply performing an additional query, upon successful login, against the 'roles' table to discover the user's authorization level and storing this into a session variable? The idea would then be that on any page with mixed authority, I could simply query the session variable to discover the logged in user's authorization level.
Thanks.
Sessions are significantly safer than, say, cookies. But it is still possible to steal a session and thus the hacker will have total access to whatever is in that session. Some ways to avoid this are IP Checking (which works pretty well, but is very low fi and thus not reliable on its own), and using a nonce. Typically with a nonce, you have a per-page "token" so that each page checks that the last page's nonce matches what it has stored.
In either security check, there is a loss of usability. If you do IP checking and the user is behind a intranet firewall (or any other situation that causes this) which doesn't hold a steady IP for that user, they will have to re-authenticate every time they lose their IP. With a nonce, you get the always fun "Clicking back will cause this page to break" situation.
But with a cookie, a hacker can steal the session simply by using fairly simple XSS techniques. If you store the user's session ID as a cookie, they are vulnerable to this as well. So even though the session is only penetrable to someone who can do a server-level hack (which requires much more sophisticated methods and usually some amount of privilege, if your server is secure), you are still going to need some extra level of verification upon each script request. You should not use cookies and AJAX together, as this makes it a tad easier to totally go to town if that cookie is stolen, as your ajax requests may not get the security checks on each request. For example, if the page uses a nonce, but the page is never reloaded, the script may only be checking for that match. And if the cookie is holding the authentication method, I can now go to town doing my evilness using the stolen cookie and the AJAX hole.
Only scripts executing on your server have access to the _SESSION array. If you define the scope of the session cookie, you can even restrict it to a specific directory. The only way someone besides you could get that session data is to inject some PHP code into one of your pages.
As for the system you're using, that is acceptable and is a good way to save database calls, but keep in mind that it will require the user to log out and log in again for any authorization changes to apply. So if you wanted to lock out an account and that user is already logged in, you can't.
It should be noted that in Apache the PHP $_SESSION superglobal is accessible across virtualhosts. Consider this scenario:
Your server hosts two domains, example.com and instance.org. PHP sessions are stored in cookies that are restricted to the domain.
A user logs in to example.com and receives a session ID. Example.com sets some session variables (which are stored on the server, not in the cookie).
A third party intercepts the cookie during transmission and passes it to instance.org. Instance.org now has access to the example.com session variables.
This is not such a big deal when you control all the virtualhosts on your server, but if you are on a shared machine, it's problematic.
If you rely on a value stored inside of a session variable to determine roles then you lose the ability to change the value in the DB and have it reflected against the user's current session. If you look at Zend Framework, there's a clear distinction between authentication and authorization, and strongly-worded warnings in the manual to only store the minimal amount of data in the session (ie "Yup, he's user #37 & he logged in").
As far as 'safety' goes - unless you're on shared host, there's nothing to worry about. On a properly configured shared host, they should be relatively secure, too.