Re: Session Authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On Apr 10, 2007, at 6:59 PM, Richard Lynch wrote:

On Mon, April 9, 2007 9:45 am, Davi wrote:
Sessions are stored in the temporary's server folder... So... If I
known my
session ID and where it's stored, I can do something...

If your web-visitor can access and edit the session files stored in
the server temp folder, you have *MUCH* bigger problems in any
real-world situation!

You might as well give your server away, since you no longer own it,
really.


Yes... but isn't it true that unless the default settings have changed that the sessions are stored in the servers temp directory (in plain text), which is 0666 on most systems, which means that if you have shell access to the server (comes with a lot of hosting plans) then you probably have at least read access to the session files, even if the sticky bit is set and you can't write to them?

So any 'sensitive' data sitting in sessions is for all intents and purposes visible to at least someone in the outside world, or you should at least treat the sessions that way.

Or am I completely misreading the manual on sessions?

Ed

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux