On Wed, 2009-07-22 at 16:07 +0700, Lenin wrote: > On Wed, Jul 22, 2009 at 2:46 PM, Ashley Sheridan > <ash@xxxxxxxxxxxxxxxxxxxx>wrote: > > > On Wed, 2009-07-22 at 03:45 +0700, Lenin wrote: > > > > > > > > > > > As Floyd suggested keeping your sessions in the DB will give you better > > > session management and security as well. > > > > Why would putting the session data in a database offer more security? > > I'm not meaning to try and poke holes in your idea, I genuinely don't > > know the answer! > > > > *Storing Session Data In A Database > *When you use on-disk files to store session data, those files must be > readable and writeable by PHP. On a multi-user hosting system, it is > possible for other users to access your session data through the PHP process > (but see the commentary on open_basedir in part 5 of this series. The best > way to secure your session data is to store it in a database. > > source: http://www.acunetix.com/websitesecurity/php-security-6.htm > > I have also studied Zend Certification Study guide by Davey Shafik and Ben > Ramsey who said similar things in the book. > > > Lenin > > http://twitter.com/nine_L And is the database not readable and writeable by PHP? Just seems that this sort of thing could be properly sorted by the right permissions level on the file, as I assume you'd be protecting the database in a similar manner by locking down that to specific users, and determining what they could and couldn't do. Thanks Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
