Brad Hubbard wrote:
> On Tue, 16 Apr 2002 14:01, Manuel Lemos did align ASCII characters thusly:
> > Probably the fastest way to keep session profile information is by
> > serializing the data array into a string that will be encrypted and then
> > stored in cookie. The security weakness of this method is that if the
> > secret key leaks, hackers may use to forge new sessions.
> Is this documented anywhere?

Yes, but where I know I can't tell you because it is part of a
proprietary system. Maybe somebody else did it like this and documented
somewhere but I have no knowledge of that. Anyway what part didn't you

> > A more secure but eventually less scalable method is to store the
> > session data in a shared memory cache, so you minimize database accesses
> > to just one after the server is restarted. This is probably the one you
> > want to use as long you know how to deal with shared memory and
> > semaphores.
> Is this documented anywhere?

Probably only in my mind . :-)

> My understanding was that htaccess authentication was more secure that
> session based because of the porblems of session hijacking???

I guess you mean HTTP based authentication. No, AFAIK that is very
unsecure because you can't end a "session" because browsers cache
authenticated passwords and only drop them (of they do, IE may not do
it) when you quit your browser. If you leave your browser terminal for
some time, somebody may come in and take advantage of your account

Manuel Lemos

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to