On 9 Apr 2005 Ryan A wrote: > This certainly has turned out to be an interesting discussion.....I > usually send the info via sessions...how bad is that? Well if you are using sessions it is worth thinking about session security, for example: http://shiflett.org/articles/the-truth-about-sessions http://www.acros.si/papers/session_fixation.pdf Beyond that -- what info are you sending?? Session data is stored on the server, not at the client, so the security is as good as for anything else on the server (assuming of course that session data is outside the web document tree). Personally there is little if any data that I would encrypt when saving it as session data (maybe CC numbers, if I had to save them across pages at all, or maybe passwords, but nothing else), because I think that's a weak defense. If access to your session data means they have gained access to the server then they can also find the code you use to decrypt that session data, so it is just one more small obstacle, not a true defense. Another point is that this might require a different analysis on a shared vs. dedicated server as a shared server may well be less secure than a dedicated server, and a dedicated server you don't physically control (e.g. colocated) may be less secure than one you do. -- Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
