On Tue, 2008-09-02 at 12:58 -0700, mike wrote: > As an additional note suhosin can transparently encrypt and decrypt > your session data for reasons just like the /tmp issue. It happens > without you needing to configure anything (except to enable or disable > it) I think it is enabled by default. This won't help since the OP mentioned he was worried about code injection exposing the contents of $_SESSION and presumably suhosin doesn't prevent restoration of the session on page load. Cheers, Rob. > On Sep 2, 2008, at 12:35 PM, "Dan Joseph" <dmjoseph@xxxxxxxxx> wrote: > > > On Tue, Sep 2, 2008 at 3:27 PM, k bah <kbah@xxxxxxxxxxxxx> wrote: > > > >> > >> Hi, > >> > >> I noticed session files are kept on /tmp for a while, and even if > >> they > >> were immediately deleted, well, someone could use one of my php > >> scripts to > >> inject code and read them, since they belong to the httpd user. > >> What's the best way to receive passwords thru a form and store them > >> in the > >> $_SESSION while I process other information to decide whether or > >> not that > >> user is able to proceed and login (check to see if user is also > >> allowed to > >> use that service, not just validate user/pw)? I use https, always, > >> no plain > >> http is used. > >> > >> Thanks > >> > >> = > >> > >> > >> -- > >> Powered by Outblaze > >> > >> -- > >> PHP General Mailing List (http://www.php.net/) > >> To unsubscribe, visit: http://www.php.net/unsub.php > >> > >> > > I personally would recommend you never store passwords in $_SESSION. > > > > I don't know how your auth code works, but the way I've always done > > it would > > be to process everything when you his submit, with the password > > being in > > $_POST or $_GET, then after you authenticate the user, drop it and > > don't > > store it with sessions. If you find you need it to be stored for > > other > > things, I'd suggest rethinking the design/checking you're doing. > > > > -- > > -Dan Joseph > > > > www.canishosting.com - Plans start @ $1.99/month. > > > > "Build a man a fire, and he will be warm for the rest of the day. > > Light a man on fire, and will be warm for the rest of his life." > -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
