On Tue, April 10, 2007 7:45 pm, Edward Vermillion wrote: > > On Apr 10, 2007, at 6:59 PM, Richard Lynch wrote: > >> On Mon, April 9, 2007 9:45 am, Davi wrote: > Yes... but isn't it true that unless the default settings have > changed that the sessions are stored in the servers temp directory > (in plain text), which is 0666 on most systems, which means that if > you have shell access to the server (comes with a lot of hosting > plans) then you probably have at least read access to the session > files, even if the sticky bit is set and you can't write to them? > > So any 'sensitive' data sitting in sessions is for all intents and > purposes visible to at least someone in the outside world, or you > should at least treat the sessions that way. > > Or am I completely misreading the manual on sessions? If you are on a shared server, and if you are using the default session handler, and if users you do not trust have shell access, then, yes, your sessions are at risk of reading, and probably writing, by other PHP scripts... OTOH, if you are on a shared server, and if users you do not trust have shell access [or, more accurately, users the webhost does not trust], then your session files are probably not the biggest risk.. A shared server is not as secure as a dedicated server, in almost all cases. That does not mean it's not "secure enough" -- THAT depends on what you are DOING with your shared server. Are there any banks running their online banking on a shared server? No. Should every shared server user run out and upgrade? No. Should you weigh the Risks and Benefits and make a rational decision based on YOUR needs? Yes. YMMV -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
