Andrew Ballard wrote: > On Wed, Jul 22, 2009 at 9:59 AM, Robert Cummings<robert@xxxxxxxxxxxxx> wrote: >> A custom session handler that writes to files could easily encrypt session >> data so that only the user with the correct session ID can decrypt it. I >> think you're confusing the issue by claiming database sessions are more >> secure when what you really mean is that custom sessions are more secure >> than the default session system. >> > > What would you use for the encryption key? (I'm not saying you're > wrong here; I'm just not sure I see it.) If the key is the same for > all requests, then it is no more secure than if they were unencrypted, > other than not being able to read the contents in a text editor. If it > is based on the session_id, you can get that from the file name. > That's a little more secure, but not much. A value stored in $_SESSION > is out, for obvious reasons. I guess you could store the key in > $_COOKIE or even a use a combination of (or hash derived from) > session_id() and another value stored in $_COOKIE as the key. > > It seems to me that anything you can do to make file-based sessions > secure could also be layered into a database approach, making the > database sessions even that much more secure. > > Andrew Well, if you're using a custom session handler to encrypt the files, then you can also determine what the session file names are. So don't put the session id in the file name. Maybe use a secure hash of the session id for the filename and then use the session id as the encryption key. -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
