On Wed, Jul 22, 2009 at 9:59 AM, Robert Cummings<robert@xxxxxxxxxxxxx> wrote: > A custom session handler that writes to files could easily encrypt session > data so that only the user with the correct session ID can decrypt it. I > think you're confusing the issue by claiming database sessions are more > secure when what you really mean is that custom sessions are more secure > than the default session system. > What would you use for the encryption key? (I'm not saying you're wrong here; I'm just not sure I see it.) If the key is the same for all requests, then it is no more secure than if they were unencrypted, other than not being able to read the contents in a text editor. If it is based on the session_id, you can get that from the file name. That's a little more secure, but not much. A value stored in $_SESSION is out, for obvious reasons. I guess you could store the key in $_COOKIE or even a use a combination of (or hash derived from) session_id() and another value stored in $_COOKIE as the key. It seems to me that anything you can do to make file-based sessions secure could also be layered into a database approach, making the database sessions even that much more secure. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php