On 12/22/2011 2:54 PM, Stuart Dallas wrote:
On 22 Dec 2011, at 19:34, Paul M Foster wrote:
I have concerns that the items in a session buffer can be copied and
used to spoof legitimate logins. This is harder to do when the info is
held in a database.
Storing stuff in a database is no more secure, it simply requires one single
extra step... finding the DB credentials in the source code. Given that the
only way a user could read session data (assuming you're using the default
session handler, i.e. file-based) is if they have access to those files.
If they do have access to those files they almost certainly also have access to
your source code (since the web user must be able to read both), especially if
you're using a shared host. If you're using a dedicated server then you should
address the reason you're worried about people having access to session files
Sessions are faster, one step to read the session array.
Encode a token e.g., MD5 the timestamp, and save it in the session buffer. Gets
pretty secure. If you're on a shared host with poor security, bad folks can do
anything on your site.
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php