Re: [PHP] Session handlers
- Original Message - From: Shawn McKenzie [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, October 02, 2004 2:11 AM Subject: [PHP] Session handlers Just curious, what is the advantage of using a custom session handler, such as saving session data in MySQL? security ! The default location for php to store session data is the tmp directory of the host os (like /tmp), and in most cases these files are readable by the webserver... and by all other scripts it's running. So if you're hosting your site on a shared server other users can read your session data, that's fine as long as you don't use it to store critical information like username, password some more info on this topic: http://shiflett.org/talks/phpworks2004-php-session-security/ regards, Ewout -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session handlers
In article [EMAIL PROTECTED], Ewout De Boer wrote: - Original Message - From: Shawn McKenzie [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, October 02, 2004 2:11 AM Subject: [PHP] Session handlers Just curious, what is the advantage of using a custom session handler, such as saving session data in MySQL? security ! The default location for php to store session data is the tmp directory of the host os (like /tmp), and in most cases these files are readable by the webserver... and by all other scripts it's running. So if you're hosting your site on a shared server other users can read your session data, that's fine as long as you don't use it to store critical information like username, password If others can read from your session.save_path, i'm pretty sure they'll be able to read the credentials you use in the scripts to connect the database too. Which makes the security argument in this case invalid. -- Met vriendelijke groeten, Tim Van Wassenhove http://www.timvw.info -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session handlers
--- Tim Van Wassenhove [EMAIL PROTECTED] wrote: If others can read from your session.save_path, i'm pretty sure they'll be able to read the credentials you use in the scripts to connect the database too. Which makes the security argument in this case invalid. You can store the database access credentials in a file that only root can read. Because the parent process in the case of Apache typically runs as root, it can read such a file, but the child processes that serve each request run as the user nobody, so they can't. More information is available here: http://shiflett.org/articles/security-corner-mar2004 Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly HTTP Developer's Handbook - Sams Coming December 2004http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Session handlers
Just curious, what is the advantage of using a custom session handler, such as saving session data in MySQL? TIA, Shawn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Session handlers
Shawn McKenzie wrote: Just curious, what is the advantage of using a custom session handler, such as saving session data in MySQL? The main reason you might want to store session informaton in a database instead of in files is that you can then load balance your site across multiple servers. If you save your session data in a file and the user is transferred from one load balanced server to another (eg with dns round robin) in the middle of a transaction the session data is lost. If you are on a shared server it may also be possible for other users to take a peek at the contents of the session data if they are stored in files. (of course you should not save sensitive data in the session anyway). TIA, Shawn -- Raditha Dissanayake. http://www.radinks.com/sftp/ | http://www.raditha.com/megaupload Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader Graphical User Inteface. Just 128 KB | with progress bar. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Session handlers
I have used MySQL sessions and session handler routines to perform the following; 1. I was able to set different session timeouts for different applications as long as each application used a different session table. The garbage cleanup routines could be programmed to ignore the global session limit and use different session life times for the different tables (a different set of routines for each application). 2. I was able to use session table to look over site users shoulders (so to speak) and by watching key session variables was able to monitor who was using different areas of the site. Obviously this kind of thing would be totally unmanageable for a public site, but on an intranet, I had phone numbers for all users and when something got hung, I was able to identify the user and give them a call while the problem was occurring. I also used this over the shoulder technique once to identify a hacker, and kicked him off the site by deleting his session entry, forcing him to logon again, course his password had been changed, and this only slowed him down for a little while, but it sure felt good. I'm sure there are many other uses, so I'll be watching this thread. Warren Vail (415) 667-0240 SF211-07-434 -Original Message- From: Shawn McKenzie [mailto:[EMAIL PROTECTED] Sent: Friday, October 01, 2004 5:11 PM To: [EMAIL PROTECTED] Subject: [PHP] Session handlers Just curious, what is the advantage of using a custom session handler, such as saving session data in MySQL? TIA, Shawn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP Session Handlers
Hi all, I just read this tutorial: http://www.phpbuilder.com/columns/ying2602.php3 I understand what each function does and what to do in each function. However, my question is this: If I write my own session handling functions, do I have to explicity call them myself? If so, when do I call them? Thanks _ MSN Toolbar provides one-click access to Hotmail from any Web page FREE download! http://toolbar.msn.com/go/onm00200413ave/direct/01/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Session Handlers
From: Paul Higgins [EMAIL PROTECTED] I just read this tutorial: http://www.phpbuilder.com/columns/ying2602.php3 I understand what each function does and what to do in each function. However, my question is this: If I write my own session handling functions, do I have to explicity call them myself? If so, when do I call them? No, you'll just use sessions as normal and these functions will be used by PHP when needed. For instance, at the end of the script when PHP needs to save the current session variables, it'll call your write() function. You just use sessions as normal, though. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Session Handlers
Ok, thanks. One other question. If I use the example I cited earlier, are the session values still stored in a flat file? Or do I have to replace that with database entries? Thanks. From: John W. Holmes [EMAIL PROTECTED] Reply-To: John W. Holmes [EMAIL PROTECTED] To: Paul Higgins [EMAIL PROTECTED],[EMAIL PROTECTED] Subject: Re: [PHP] PHP Session Handlers Date: Wed, 12 May 2004 15:14:36 -0400 From: Paul Higgins [EMAIL PROTECTED] I just read this tutorial: http://www.phpbuilder.com/columns/ying2602.php3 I understand what each function does and what to do in each function. However, my question is this: If I write my own session handling functions, do I have to explicity call them myself? If so, when do I call them? No, you'll just use sessions as normal and these functions will be used by PHP when needed. For instance, at the end of the script when PHP needs to save the current session variables, it'll call your write() function. You just use sessions as normal, though. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php _ Getting married? Find tips, tools and the latest trends at MSN Life Events. http://lifeevents.msn.com/category.aspx?cid=married -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php