> Is there any way restricting people from retrieving file names (where > open_basedir and safe_mode obviously won't help), besides adding glob to > disable_functions in php.ini?
If I understand you correctly, only files owned by script owner (thus potentially Apache user) are disclosed. Because sessions in common directory are not secure independently whether you can read the session filenames or not (you can reveal it from some logs), it's better to store session files in different directories for each virtual host. This way, user can read other user's session filenames but she can't use it for anything. We use it on my company's hosting and I believe it's secure enough. P.S. I'm on your side with securing glob() but it will not solve all security risks with session files stored in common directory. Jakub Vrana -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
