On 12/22/2011 2:54 PM, Stuart Dallas wrote:
On 22 Dec 2011, at 19:34, Paul M Foster wrote:
I have concerns that the items in a session buffer can be copied and
used to spoof legitimate logins. This is harder to do when the info is
held in a database.
Storing stuff in a database is no more secure, it simply requires one single extra step... finding the DB credentials in the source code. Given that the only way a user could read session data (assuming you're using the default session handler, i.e. file-based) is if they have access to those files.
If they do have access to those files they almost certainly also have access to your source code (since the web user must be able to read both), especially if you're using a shared host. If you're using a dedicated server then you should address the reason you're worried about people having access to session files first.
-Stuart
Sessions are faster, one step to read the session array.
Encode a token e.g., MD5 the timestamp, and save it in the session buffer. Gets
pretty secure. If you're on a shared host with poor security, bad folks can do
anything on your site.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
