Re: [Phplib-users] Sessions where are we going??
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] Sessions where are we going??
|
From: Donncha O C. <don...@tr...> - 2002-07-01 09:38:08
|
Take a look at this site, which I linked to from my howto last week, it s= hould=20 help solve some of the security issues with php4 sessions. http://www.webkreator.com/php/configuration/php-session-security.html Basically, each vhost gets its own directory, and even session name. That= =20 should help to stop people stealing sessions from one vhost to another. I= f=20 you can chmod 700 and chown nobody:nobody the directory then local users=20 can't inspect those directories (unless they look at them through a scrip= t=20 running as nobody of course but the same applies to using a db as a backe= nd,=20 almost) Is there a phplib-dev mailing list? Hmm, no, scrap that if there is, the=20 number of people interested in developing the library seems to be low.=20 Perhaps the discussion should happen here.=20 The auth->start() stuff is/was scary and I won't pretend to understand al= l of=20 it but I'd like to help in some way. Donncha. On Saturday 29 June 2002 17:02, Giancarlo wrote: > Il 17:39, sabato 29 giugno 2002, Matt Williams ha scritto: > > As we are now well into PHP 4 would it not be better to put the full > > weight of php4 session capabilitiess into phplib? > > IMHO PHP4 session is a scam. There is some unknown reason why it has be= en > impossible, for almost two years now, to block creation of user-provide= d > sids, and most graviuos, to have any setting that provides a cookie-on= ly > session mamagement. [snip] |
