Dave Hall wrote: > On Sun, 2008-07-13 at 23:14 +0200, Sigurd Nes wrote: >> Hi all, >> >> The new session handler in trunk have all necessary meta-data about the >> session >> embedded in the session itself. >> >> If suhosin - the Hardened-PHP Project is enabled - the session data is >> encrypted >> and the list sessions feature can not be used. >> >> I think the list session is useful for tracking users in case of remote >> problem >> solving. >> >> How about re-enabling the meta information un-encrypted outside the session >> data >> so it is available to the list session ? >> >> This also affects the count of current users. > > Security always comes at a cost. > > If people really need this functionality it can be documented and those > users can either disable suhosin or use db sessions. I fail to see what > benefit it brings for the overhead involved.
Only choice is to disable suhosin as db-sessions are encrypted as well. To have the (old) fields as lid, action and logintime is very cheap - don't think it is noticeable at all as it is only accessed twice per page view. > > btw you can get the current session count by using a unique path for > storing the session files. > Regards Sigurd _______________________________________________ phpGroupWare-developers mailing list phpGroupWare-developers@gnu.org http://lists.gnu.org/mailman/listinfo/phpgroupware-developers
