Found this article and need the experts to consult on the statement "avoid
the session mechanism".  Is this a true problem?  And what should we do if
we cannot have a dedicated server to ourselves?

Avoid the session mechanism. The ``session'' mechanism is handy for storing
persistent data, but its current implementation has many problems. First, by
default sessions store information in temporary files - so if you're on a
multi-hosted system, you open yourself up to many attacks and revelations.
Even those who aren't currently multi-hosted may find themselves
multi-hosted later! You can "tie" this information into a database instead
of the filesystem, but if others on a multi-hosted database can access that
database with the same permissions, the problem is the same. There are also
ambiguities if you're not careful (``is this the session value or an
attacker's value''?) and this is another case where an attacker can force a
file or key to reside on the server with content of their choosing - a
dangerous situation - and the attacker can even control to some extent the
name of the file or key where this data will be placed.

Do You Yahoo!?
Get your free address at

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to