Andrew Ballard wrote:
> On Wed, Jul 22, 2009 at 9:59 AM, Robert Cummings<> wrote:
>> A custom session handler that writes to files could easily encrypt session
>> data so that only the user with the correct session ID can decrypt it. I
>> think you're confusing the issue by claiming database sessions are more
>> secure when what you really mean is that custom sessions are more secure
>> than the default session system.
> What would you use for the encryption key? (I'm not saying you're
> wrong here; I'm just not sure I see it.) If the key is the same for
> all requests, then it is no more secure than if they were unencrypted,
> other than not being able to read the contents in a text editor. If it
> is based on the session_id, you can get that from the file name.
> That's a little more secure, but not much. A value stored in $_SESSION
> is out, for obvious reasons. I guess you could store the key in
> $_COOKIE or even a use a combination of (or hash derived from)
> session_id() and another value stored in $_COOKIE as the key.
> It seems to me that anything you can do to make file-based sessions
> secure could also be layered into a database approach, making the
> database sessions even that much more secure.
> Andrew

Well, if you're using a custom session handler to encrypt the files,
then you can also determine what the session file names are.  So don't
put the session id in the file name.  Maybe use a secure hash of the
session id for the filename and then use the session id as the
encryption key.


PHP General Mailing List (
To unsubscribe, visit:

Reply via email to