<< Comments inline >>

----- Original Message -----
From: "Rasmus Lerdorf" <[EMAIL PROTECTED]>
To: "Danny Shepherd" <[EMAIL PROTECTED]>
Sent: Tuesday, July 30, 2002 11:24 AM
Subject: Re: [PHP] Sessions - Informed Opinions

> > Assuming that sessions are stored on the filesystem by default:
> >     1 How secure is this? Could someone with system level access simple
> > wander into the session store directory and start browsing though the
> > session data?
> Well, at least as secure as passing this stuff out across the Internet to
> random clients where anybody can steal these cookies and present them back
> to you in a spoof attack.
Fair enough

> >     2 Are expired sessions removed from the filesystem automatically?
> > often is this garbage collection performed?
> Sure.  You configure it.  See php.ini
> >     3 How can I get a count of currently active (I.e non expired)
> Count the number of session files.
Can I be sure that the count will only include active sessions though?

> >     4 Are there any performance issues to worry about doing it this way?
> Not really
> >     5 Is it quicker to do it this way or store sessions in a db using
> > session_set_save_handler?
> Should be slightly quicker if your database is nice and fast and your
> schema is sane.

> > As for my setup - it's a BSD box - Apache2.0.39 + PHP4.2.2 (apache
module) +
> > PHP4.3.0dev-Zend2alpha2 (cgi) - both compiled with pretty much
> Why in the world are you running Apache2?  You are not running it threaded
> anyway (since you are on FreeBSD) so you are not gaining any of the
> threaded scalability that is Apache2's only real selling point right now.
> You are running code that acts just like Apache 1.3.x except it is much
> less stable (at least with PHP).

Can't say I've really noticed any stability issues - even with PHP (there
was that multiple cookie bug but even so). It's a dev box (the release boxes
all use Apache1.3.x) and TBH, I was playin' about some of Apache2's other
features, such as the dynamic vhosting, which might be useful to me later.

Thanks for the reply though,


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to