On 22 Dec 2011, at 19:34, Paul M Foster wrote:

> I have concerns that the items in a session buffer can be copied and
> used to spoof legitimate logins. This is harder to do when the info is
> held in a database.

Storing stuff in a database is no more secure, it simply requires one single 
extra step... finding the DB credentials in the source code. Given that the 
only way a user could read session data (assuming you're using the default 
session handler, i.e. file-based) is if they have access to those files.

If they do have access to those files they almost certainly also have access to 
your source code (since the web user must be able to read both), especially if 
you're using a shared host. If you're using a dedicated server then you should 
address the reason you're worried about people having access to session files 


Stuart Dallas
3ft9 Ltd
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to