On Wed, 2009-07-22 at 08:32 -0400, Floyd Resler wrote: > You can do so much more with storing sessions in a database. For > example, I can determine which of my users is currently on by looking > in the sessions table. Not only does using a database for sessions > offer more security, it also offers more flexibility. > > Take care, > Floyd > > On Jul 22, 2009, at 5:13 AM, Ashley Sheridan wrote: > > > On Wed, 2009-07-22 at 16:07 +0700, Lenin wrote: > >> On Wed, Jul 22, 2009 at 2:46 PM, Ashley Sheridan > >> <ash@xxxxxxxxxxxxxxxxxxxx>wrote: > >> > >>> On Wed, 2009-07-22 at 03:45 +0700, Lenin wrote: > >>> > >> > >> > >>>>> > >>>> As Floyd suggested keeping your sessions in the DB will give you > >>>> better > >>>> session management and security as well. > >>> > >>> Why would putting the session data in a database offer more > >>> security? > >>> I'm not meaning to try and poke holes in your idea, I genuinely > >>> don't > >>> know the answer! > >>> > >>> *Storing Session Data In A Database > >> *When you use on-disk files to store session data, those files must > >> be > >> readable and writeable by PHP. On a multi-user hosting system, it is > >> possible for other users to access your session data through the > >> PHP process > >> (but see the commentary on open_basedir in part 5 of this series. > >> The best > >> way to secure your session data is to store it in a database. > >> > >> source: http://www.acunetix.com/websitesecurity/php-security-6.htm > >> > >> I have also studied Zend Certification Study guide by Davey Shafik > >> and Ben > >> Ramsey who said similar things in the book. > >> > >> > >> Lenin > >> > >> http://twitter.com/nine_L > > > > And is the database not readable and writeable by PHP? Just seems that > > this sort of thing could be properly sorted by the right permissions > > level on the file, as I assume you'd be protecting the database in a > > similar manner by locking down that to specific users, and determining > > what they could and couldn't do. > > > > Thanks > > Ash > > www.ashleysheridan.co.uk > > > > > But *how* does it offer more security? You've not actually mentioned that! Thanks Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
