On 12/22/2011 2:54 PM, Stuart Dallas wrote:
On 22 Dec 2011, at 19:34, Paul M Foster wrote:

I have concerns that the items in a session buffer can be copied and
used to spoof legitimate logins. This is harder to do when the info is
held in a database.

Storing stuff in a database is no more secure, it simply requires one single 
extra step... finding the DB credentials in the source code. Given that the 
only way a user could read session data (assuming you're using the default 
session handler, i.e. file-based) is if they have access to those files.

If they do have access to those files they almost certainly also have access to 
your source code (since the web user must be able to read both), especially if 
you're using a shared host. If you're using a dedicated server then you should 
address the reason you're worried about people having access to session files 


Sessions are faster, one step to read the session array.

Encode a token e.g., MD5 the timestamp, and save it in the session buffer. Gets pretty secure. If you're on a shared host with poor security, bad folks can do anything on your site.

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to