On Thu, April 20, 2006 1:46 pm, Ben Liu wrote: > After a bit more research, I think I understand why Jochem recommends > use of session_save_path() rather than just naming each session > differently. The former method provides more security as you can set > the location where session cookies are stored. This will help prevent > an attacker from gaining access to session information and then using > it to gain inappropriate access to the application the session was > created for or even other applications running on the same shared > server. Anyway, I think that's why. ::Possible False Sense Of Security Alert:: If a Bad Guy can read the session data, moving it to a different directory is probably not going to help, really... Unless you are running with different Usernames for each client on your shared server, using FastCGI + suexec or some similar method, the cookie files are STILL just as readable by the same Bad Guys, using the same methods. They just have to change their to: <?php $path = "/other/path/to/other/cookies";?> before they start their damage. There may well be other GREAT reasons for using a different save path, or a different path for the Cookie, or session_name over each other, but I don't think Security is the reason behind any of the choices. I'd personally use ini_set as the last choice because it's remotely possible that the setting can't be changed from within a script, as a few are like that -- Or, worse, that they can be changed today, but in, say PHP 6 or PHP 7, they won't be for some obscure reason we cannot predict today. session_name() seems less likely to just disappear completely as a feature than a "minor" change to a php.ini setting and where it is allowed. But that's just my paranoid logic. :-) -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
