> So, I've been using my own implementation of session handling which is > mainly storing the userinfo in a cookie (an array, serialised and signed) > but I'm starting to come around to the idea of storing this info on the > server and just passing a session key about - but I have a couple of > reservations, which I'm hoping someone can confirm or resolve : > > Assuming that sessions are stored on the filesystem by default: > 1 How secure is this? Could someone with system level access simple > wander into the session store directory and start browsing though the > session data?
Well, at least as secure as passing this stuff out across the Internet to random clients where anybody can steal these cookies and present them back to you in a spoof attack. > 2 Are expired sessions removed from the filesystem automatically? How > often is this garbage collection performed? Sure. You configure it. See php.ini > 3 How can I get a count of currently active (I.e non expired) sessions? Count the number of session files. > 4 Are there any performance issues to worry about doing it this way? Not really > 5 Is it quicker to do it this way or store sessions in a db using > session_set_save_handler? Should be slightly quicker if your database is nice and fast and your schema is sane. > As for my setup - it's a BSD box - Apache2.0.39 + PHP4.2.2 (apache module) + > PHP4.3.0dev-Zend2alpha2 (cgi) - both compiled with pretty much everything. Why in the world are you running Apache2? You are not running it threaded anyway (since you are on FreeBSD) so you are not gaining any of the threaded scalability that is Apache2's only real selling point right now. You are running code that acts just like Apache 1.3.x except it is much less stable (at least with PHP). -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php