Store everything in the database in an encrypted form.
Stuart Dallas wrote:
> On 22 Dec 2011, at 19:34, Paul M Foster
wrote:
>
>> I have concerns that the items in a
session buffer can be copied and
>> used to spoof legitimate
logins. This is harder to do when the info is
>> held in a
database.
>
> Storing stuff in a database is no more
secure, it simply requires one
> single extra step... finding the
DB credentials in the source code. Given
> that the only way a
user could read session data (assuming you're using
> the default
session handler, i.e. file-based) is if they have access to
>
those files.
>
> If they do have access to those files
they almost certainly also have
> access to your source code
(since the web user must be able to read both),
> especially if
you're using a shared host. If you're using a dedicated
> server
then you should address the reason you're worried about people
>
having access to session files first.
>
> -Stuart
>
> --
> Stuart Dallas
> 3ft9 Ltd
>
http://3ft9.com/
> --
> PHP General Mailing List
(http://www.php.net/)
> To unsubscribe, visit:
http://www.php.net/unsub.php
>
>
