--- Tim Van Wassenhove <euki@xxxxx> wrote: > If others can read from your session.save_path, i'm pretty sure > they'll be able to read the credentials you use in the scripts > to connect the database too. Which makes the security argument > in this case invalid. You can store the database access credentials in a file that only root can read. Because the parent process in the case of Apache typically runs as root, it can read such a file, but the child processes that serve each request run as the user nobody, so they can't. More information is available here: http://shiflett.org/articles/security-corner-mar2004 Hope that helps. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly HTTP Developer's Handbook - Sams Coming December 2004 http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
