--- "John W. Holmes" <[EMAIL PROTECTED]> wrote:
> Pablo Gosse wrote:
>
> > As to your last point, can something else change the session vars
> > other than my php scripts, answers to that question are exactly what
> > I'm looking for.
>
> Other PHP scripts on the same server (doesn't have to be same domain)
> and most anything that can access the filesystem could modify the
> session files. If you're on a shared server, (default) sessions can be
> modified by other users. If you've got a dedicated server, sessions are
> safe. I'd recommend saving sessions in the database on a shared server.
John makes a good point, but on a shared server, I tend to not really
worry about it. You're pretty much going to have to accept that your
environment is less secure. This is one of the exchanges you make for
paying less money.
For example, if you store your sessions in a database, it's pretty trivial
for another user to write a PHP script that allows him/her to navigate the
filesystem, searching for your database access credentials. After all, if
Apache/PHP can read the file that contains this information, then it's
fair game for anyone else on the same server. With your database access
credentials, it's pretty easy to manipulate session data.
The safe_mode directive addresses many of these types of problems, but my
guess is that the vast majority of shared hosts do not enable this, due to
the negative impacts of its use (popular open source packages that won't
run, etc.).
If security is super important to you, hopefully you can afford a
dedicated server.
Hope that helps.
Chris
=====
My Blog
http://shiflett.org/
HTTP Developer's Handbook
http://httphandbook.org/
RAMP Training Courses
http://www.nyphp.org/ramp
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
