So, I've been using my own implementation of session handling which is
mainly storing the userinfo in a cookie (an array, serialised and signed)
but I'm starting to come around to the idea of storing this info on the
server and just passing a session key about - but I have a couple of
reservations, which I'm hoping someone can confirm or resolve :
Assuming that sessions are stored on the filesystem by default:
1 How secure is this? Could someone with system level access simple
wander into the session store directory and start browsing though the
2 Are expired sessions removed from the filesystem automatically? How
often is this garbage collection performed?
3 How can I get a count of currently active (I.e non expired) sessions?
4 Are there any performance issues to worry about doing it this way?
5 Is it quicker to do it this way or store sessions in a db using
Like the subject says, I'm after informed opinions on this subject rather
than rumours and hearsay.
As for my setup - it's a BSD box - Apache2.0.39 + PHP4.2.2 (apache module) +
PHP4.3.0dev-Zend2alpha2 (cgi) - both compiled with pretty much everything.
Thanks a lot people,
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php