----- Original Message -----
From: "Tech Support" <[EMAIL PROTECTED]>
To: "Danny Shepherd" <[EMAIL PROTECTED]>
Sent: Tuesday, July 30, 2002 6:44 PM
Subject: Re: [PHP] Sessions - Informed Opinions

> If you're on a shared system it's very easy for other users on your
> to read session data. All you have to do is opendir("/tmp") and then
> readdir() and copy the files into something you can read. I have
> a few commerce sites and this issue has bothered me a few times and with
> each new site I find better and more secure methods.

Yeah, the whole shared hosting thing has me bothered - until Apache can run
as a different user for each vhost (allowing tighter filesystem security on
the docroot), I'm steering well clear of the whole situation - thankfully
our clients generally own their own boxes :-)

> The beauty of sessions in php is that the user does not need to accept
> cookies for it to work. If you have --enable-trans-sid, which on by
> in 4.2.X you only need to manually add the session id in two cases:
> 1. you are using a full URL in a form or a link. Even if it's your full
> php will still assume it's off site and thus not append the session id to
> the query string.
> 2. You use a header redirect (relative or full URL)
> I use mysql to store session data via session_set_save handler in favor of
> file type. It took me a long time to find code that worked because the
> documentation is not as clear as it could be. I found some code that half
> way worked but it would seg fault apache on my system so I search message
> boards and asked questions until I found the problem. I now have a set of
> functions that work great. Anyway, what I'm getting at is that, if you
> it, I would be happy to share it with you.

Thanks for the offer but guess what I've just finished doing? :-) I'll agree
that the docs were well flaky though!



PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to