Ach, correction: "Chuck is correct here." = "*Richard* is correct here."
No morning coffee yet, sorry.
- Ben
On Apr 20, 2006, at 7:22 PM, Richard Lynch wrote:
On Thu, April 20, 2006 1:46 pm, Ben Liu wrote:
After a bit more research, I think I understand why Jochem recommends
use of session_save_path() rather than just naming each session
differently. The former method provides more security as you can set
the location where session cookies are stored. This will help prevent
an attacker from gaining access to session information and then using
it to gain inappropriate access to the application the session was
created for or even other applications running on the same shared
server. Anyway, I think that's why.
::Possible False Sense Of Security Alert::
If a Bad Guy can read the session data, moving it to a different
directory is probably not going to help, really...
Unless you are running with different Usernames for each client on
your shared server, using FastCGI + suexec or some similar method, the
cookie files are STILL just as readable by the same Bad Guys, using
the same methods. They just have to change their to:
<?php $path = "/other/path/to/other/cookies";?>
before they start their damage.
There may well be other GREAT reasons for using a different save path,
or a different path for the Cookie, or session_name over each other,
but I don't think Security is the reason behind any of the choices.
I'd personally use ini_set as the last choice because it's remotely
possible that the setting can't be changed from within a script, as a
few are like that -- Or, worse, that they can be changed today, but
in, say PHP 6 or PHP 7, they won't be for some obscure reason we
cannot predict today.
session_name() seems less likely to just disappear completely as a
feature than a "minor" change to a php.ini setting and where it is
allowed.
But that's just my paranoid logic. :-)
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
