Store everything in the database in an encrypted form. Stuart Dallas wrote: > On 22 Dec 2011, at 19:34, Paul M Foster wrote: > >> I have concerns that the items in a session buffer can be copied and >> used to spoof legitimate logins. This is harder to do when the info is >> held in a database. > > Storing stuff in a database is no more secure, it simply requires one > single extra step... finding the DB credentials in the source code. Given > that the only way a user could read session data (assuming you're using > the default session handler, i.e. file-based) is if they have access to > those files. > > If they do have access to those files they almost certainly also have > access to your source code (since the web user must be able to read both), > especially if you're using a shared host. If you're using a dedicated > server then you should address the reason you're worried about people > having access to session files first. > > -Stuart > > -- > Stuart Dallas > 3ft9 Ltd > http://3ft9.com/ > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
