security - How secure is PHP object serialization and is it safe to pass across pages? (Using phpXMLrpc) -

basically doing:

im using phpxmlrpc communicate odoo.

in essence communicate every request need send on needs follow structure:

//the database wish connect $msg->addparam(new xmlrpcval($this->dbname, "string"));  //the logged in user id $msg->addparam(new xmlrpcval($this->userid, "int"));  //the logged in users password $msg->addparam(new xmlrpcval($this->password, "string"));  //the model $msg->addparam(new xmlrpcval("project.project", "string"));  //the method im requesting call $msg->addparam(new xmlrpcval("read", "string"));   //query parameters $msg->addparam(new xmlrpcval($id_list, "array"));  $msg->addparam(new xmlrpcval($field_list, "array"));  

now have written class in constructor sets instance variables of values passed constructor i.e

class phpclient{    private $username;    private $password;    private $dbname;    private $server_url;    private $userid;    public function __construct($server_url, $database, $user, $password) {     $this->server_url = $server_url;     $this->dbname = $database;     $this->username = $user;     $this->password = $password;     $this->userid = false;   } 

there occasions wish use same object again somewhere else down line, perhaps in page. instead of asking user "login" again , enter details again , having create object safe enough serialize phpclient object , store in session in other pages require use of object in order verify user logged in , has sufficient permission, deserialize object carry out further rpc requests?

you can safely serialize across requests. can safely put user input data , serialize it.

however, never unserialize data user can possibly modify. example, never unserialize cookie or form payload, or server sends you.

so yes, it's safe serialize store data in session.