> - Original Message -
> From: "Dan Joseph" <[EMAIL PROTECTED]>
> To: php-general@lists.php.net
> Subject: Re: [PHP] Secure way to handle pw on session.
> Date: Tue, 2 Sep 2008 15:35:26 -0400
>
>
> On Tue, Sep 2, 2008 at 3:27 PM, k bah &
On Tue, Sep 2, 2008 at 5:58 PM, Diogo Neves <[EMAIL PROTECTED]> wrote:
>
>
> On Tue, Sep 2, 2008 at 9:10 PM, Eric Butera <[EMAIL PROTECTED]> wrote:
>>
>> On Tue, Sep 2, 2008 at 4:06 PM, Robert Cummings <[EMAIL PROTECTED]>
>> wrote:
>> > On Tue, 2008-09-02 at 12:58 -0700, mike wrote:
>> >> As an add
On Tue, Sep 2, 2008 at 9:10 PM, Eric Butera <[EMAIL PROTECTED]> wrote:
> On Tue, Sep 2, 2008 at 4:06 PM, Robert Cummings <[EMAIL PROTECTED]>
> wrote:
> > On Tue, 2008-09-02 at 12:58 -0700, mike wrote:
> >> As an additional note suhosin can transparently encrypt and decrypt
> >> your session data f
I thought he'd be more worried about something like 'cat /tmp/sess_*'.
Also, you can enable the save_path in the ini file or htaccess file and
then disable the PHP function in the ini file.
Thank you,
Micah Gersten
onShore Networks
Internal Developer
http://www.onshore.com
Robert Cummings wrote
On Tue, 2008-09-02 at 16:22 -0500, Micah Gersten wrote:
> If one does not know where the session data is, one cannot inject code
> to expose it.
PHP knows where the session data is, the very function you gave provides
the path to it also. If you've got code injection then you've got
someone who ca
If one does not know where the session data is, one cannot inject code
to expose it.
Thank you,
Micah Gersten
onShore Networks
Internal Developer
http://www.onshore.com
Robert Cummings wrote:
> On Tue, 2008-09-02 at 14:45 -0500, Micah Gersten wrote:
>
>> Take a look at this:
>> http://us2.ph
On Tue, 2008-09-02 at 16:10 -0400, Eric Butera wrote:
> On Tue, Sep 2, 2008 at 4:06 PM, Robert Cummings <[EMAIL PROTECTED]> wrote:
> > On Tue, 2008-09-02 at 12:58 -0700, mike wrote:
> >> As an additional note suhosin can transparently encrypt and decrypt
> >> your session data for reasons just like
On Tue, Sep 2, 2008 at 4:06 PM, Robert Cummings <[EMAIL PROTECTED]> wrote:
> On Tue, 2008-09-02 at 12:58 -0700, mike wrote:
>> As an additional note suhosin can transparently encrypt and decrypt
>> your session data for reasons just like the /tmp issue. It happens
>> without you needing to configur
On Tue, 2008-09-02 at 12:58 -0700, mike wrote:
> As an additional note suhosin can transparently encrypt and decrypt
> your session data for reasons just like the /tmp issue. It happens
> without you needing to configure anything (except to enable or disable
> it) I think it is enabled by def
On Tue, 2008-09-02 at 14:45 -0500, Micah Gersten wrote:
> Take a look at this:
> http://us2.php.net/manual/en/function.session-save-path.php
This won't help since the OP mentioned he was worried about code
injection exposing the contents of $_SESSION.
Cheers,
Rob.
--
http://www.interjinn.com
App
As an additional note suhosin can transparently encrypt and decrypt
your session data for reasons just like the /tmp issue. It happens
without you needing to configure anything (except to enable or disable
it) I think it is enabled by default.
On Sep 2, 2008, at 12:35 PM, "Dan Joseph" <[EMA
Take a look at this:
http://us2.php.net/manual/en/function.session-save-path.php
Thank you,
Micah Gersten
onShore Networks
Internal Developer
http://www.onshore.com
k bah wrote:
> Hi,
>
> I noticed session files are kept on /tmp for a while, and even if they were
> immediately deleted, well,
On Tue, Sep 2, 2008 at 3:27 PM, k bah <[EMAIL PROTECTED]> wrote:
>
> Hi,
>
> I noticed session files are kept on /tmp for a while, and even if they
> were immediately deleted, well, someone could use one of my php scripts to
> inject code and read them, since they belong to the httpd user.
> Wh
13 matches
Mail list logo
