In article <[EMAIL PROTECTED]>, Ewout De Boer wrote: > > ----- Original Message ----- > From: "Shawn McKenzie" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Saturday, October 02, 2004 2:11 AM > Subject: [PHP] Session handlers > > >> Just curious, what is the advantage of using a custom session handler, >> such as saving session data in MySQL? > > security ! > > The default location for php to store session data is the tmp directory of > the host os (like /tmp), and in most cases these files are readable by the > webserver... and by all other scripts it's running. So if you're hosting > your site on a shared server other users can read your session data, that's > fine as long as you don't use it to store critical information like > username, password....
If others can read from your session.save_path, i'm pretty sure they'll be able to read the credentials you use in the scripts to connect the database too. Which makes the security argument in this case invalid. -- Met vriendelijke groeten, Tim Van Wassenhove <http://www.timvw.info> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
