Hello All,

So, I've been using my own implementation of session handling which is
mainly storing the userinfo in a cookie (an array, serialised and signed)
but I'm starting to come around to the idea of storing this info on the
server and just passing a session key about - but I have a couple of
reservations, which I'm hoping someone can confirm or resolve :

Assuming that sessions are stored on the filesystem by default:
    1 How secure is this? Could someone with system level access simple
wander into the session store directory and start browsing though the
session data?
    2 Are expired sessions removed from the filesystem automatically? How
often is this garbage collection performed?
    3 How can I get a count of currently active (I.e non expired) sessions?
    4 Are there any performance issues to worry about doing it this way?
    5 Is it quicker to do it this way or store sessions in a db using

Like the subject says, I'm after informed opinions on this subject rather
than rumours and hearsay.

As for my setup - it's a BSD box - Apache2.0.39 + PHP4.2.2 (apache module) +
PHP4.3.0dev-Zend2alpha2 (cgi) - both compiled with pretty much everything.

Thanks a lot people,


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to