On Apr 10, 2007, at 6:59 PM, Richard Lynch wrote:
On Mon, April 9, 2007 9:45 am, Davi wrote:
Sessions are stored in the temporary's server folder... So... If I
known my
session ID and where it's stored, I can do something...
If your web-visitor can access and edit the session files stored in
the server temp folder, you have *MUCH* bigger problems in any
real-world situation!
You might as well give your server away, since you no longer own it,
really.
Yes... but isn't it true that unless the default settings have
changed that the sessions are stored in the servers temp directory
(in plain text), which is 0666 on most systems, which means that if
you have shell access to the server (comes with a lot of hosting
plans) then you probably have at least read access to the session
files, even if the sticky bit is set and you can't write to them?
So any 'sensitive' data sitting in sessions is for all intents and
purposes visible to at least someone in the outside world, or you
should at least treat the sessions that way.
Or am I completely misreading the manual on sessions?
Ed
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
