On Wed, Jul 22, 2009 at 2:46 PM, Ashley Sheridan

> On Wed, 2009-07-22 at 03:45 +0700, Lenin wrote:

> > >
> > As Floyd suggested keeping your sessions in the DB will give you better
> > session management and security as well.
> Why would putting the session data in a database offer more security?
> I'm not meaning to try and poke holes in your idea, I genuinely don't
> know the answer!
> *Storing Session Data In A Database
*When you use on-disk files to store session data, those files must be
readable and writeable by PHP. On a multi-user hosting system, it is
possible for other users to access your session data through the PHP process
(but see the commentary on open_basedir in part 5 of this series. The best
way to secure your session data is to store it in a database.

source: http://www.acunetix.com/websitesecurity/php-security-6.htm

I have also studied Zend Certification Study guide by Davey Shafik and Ben
Ramsey who said similar things in the book.



Reply via email to