Re: Doubt regarding session_destroy() in PHP 5

[Floyd Resler <fresler@xxxxxxxxxxxxx>]

With proper permissions I'm not sure that it's any more secure but it  
certainly is a whole lot more scalable.  And it is very easy to set  
up.  A web search will yield a lot of examples of using a database.  I  
use a PHP class which I really like.

Take care,
Floyd

On Jul 22, 2009, at 8:36 AM, Ashley Sheridan wrote:

> On Wed, 2009-07-22 at 08:32 -0400, Floyd Resler wrote:
> > You can do so much more with storing sessions in a database.  For
> > example, I can determine which of my users is currently on by looking
> > in the sessions table.  Not only does using a database for sessions
> > offer more security, it also offers more flexibility.
> >
> > Take care,
> > Floyd
> >
> > On Jul 22, 2009, at 5:13 AM, Ashley Sheridan wrote:
> >
> > > On Wed, 2009-07-22 at 16:07 +0700, Lenin wrote:
> > > > On Wed, Jul 22, 2009 at 2:46 PM, Ashley Sheridan
> > > > <ash@xxxxxxxxxxxxxxxxxxxx>wrote:
> > > >
> > > > > On Wed, 2009-07-22 at 03:45 +0700, Lenin wrote:
> > > >
> > > >
> > > > > > >
> > > > > > As Floyd suggested keeping your sessions in the DB will give you
> > > > > > better
> > > > > > session management and security as well.
> > > > >
> > > > > Why would putting the session data in a database offer more
> > > > > security?
> > > > > I'm not meaning to try and poke holes in your idea, I genuinely
> > > > > don't
> > > > > know the answer!
> > > > >
> > > > > *Storing Session Data In A Database
> > > > *When you use on-disk files to store session data, those files must
> > > > be
> > > > readable and writeable by PHP. On a multi-user hosting system, it  
> > > > is
> > > > possible for other users to access your session data through the
> > > > PHP process
> > > > (but see the commentary on open_basedir in part 5 of this series.
> > > > The best
> > > > way to secure your session data is to store it in a database.
> > > >
> > > > source: http://www.acunetix.com/websitesecurity/php-security-6.htm
> > > >
> > > > I have also studied Zend Certification Study guide by Davey Shafik
> > > > and Ben
> > > > Ramsey who said similar things in the book.
> > > >
> > > >
> > > > Lenin
> > > >
> > > > http://twitter.com/nine_L
> > >
> > > And is the database not readable and writeable by PHP? Just seems  
> > > that
> > > this sort of thing could be properly sorted by the right permissions
> > > level on the file, as I assume you'd be protecting the database in a
> > > similar manner by locking down that to specific users, and  
> > > determining
> > > what they could and couldn't do.
> > >
> > > Thanks
> > > Ash
> > > www.ashleysheridan.co.uk
> But *how* does it offer more security? You've not actually mentioned
> that!
>
> Thanks
> Ash
> www.ashleysheridan.co.uk


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php