With proper permissions I'm not sure that it's any more secure but it certainly is a whole lot more scalable. And it is very easy to set up. A web search will yield a lot of examples of using a database. I use a PHP class which I really like.

Take care,

On Jul 22, 2009, at 8:36 AM, Ashley Sheridan wrote:

On Wed, 2009-07-22 at 08:32 -0400, Floyd Resler wrote:
You can do so much more with storing sessions in a database.  For
example, I can determine which of my users is currently on by looking
in the sessions table.  Not only does using a database for sessions
offer more security, it also offers more flexibility.

Take care,

On Jul 22, 2009, at 5:13 AM, Ashley Sheridan wrote:

On Wed, 2009-07-22 at 16:07 +0700, Lenin wrote:
On Wed, Jul 22, 2009 at 2:46 PM, Ashley Sheridan

On Wed, 2009-07-22 at 03:45 +0700, Lenin wrote:

As Floyd suggested keeping your sessions in the DB will give you
session management and security as well.

Why would putting the session data in a database offer more
I'm not meaning to try and poke holes in your idea, I genuinely
know the answer!

*Storing Session Data In A Database
*When you use on-disk files to store session data, those files must
readable and writeable by PHP. On a multi-user hosting system, it is
possible for other users to access your session data through the
PHP process
(but see the commentary on open_basedir in part 5 of this series.
The best
way to secure your session data is to store it in a database.

source: http://www.acunetix.com/websitesecurity/php-security-6.htm

I have also studied Zend Certification Study guide by Davey Shafik
and Ben
Ramsey who said similar things in the book.



And is the database not readable and writeable by PHP? Just seems that
this sort of thing could be properly sorted by the right permissions
level on the file, as I assume you'd be protecting the database in a
similar manner by locking down that to specific users, and determining
what they could and couldn't do.


But *how* does it offer more security? You've not actually mentioned


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to