On 22 Dec 2011, at 19:34, Paul M Foster wrote: > I have concerns that the items in a session buffer can be copied and > used to spoof legitimate logins. This is harder to do when the info is > held in a database.
Storing stuff in a database is no more secure, it simply requires one single extra step... finding the DB credentials in the source code. Given that the only way a user could read session data (assuming you're using the default session handler, i.e. file-based) is if they have access to those files. If they do have access to those files they almost certainly also have access to your source code (since the web user must be able to read both), especially if you're using a shared host. If you're using a dedicated server then you should address the reason you're worried about people having access to session files first. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php