Re: [Phplib-users] Sessions where are we going??
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] Sessions where are we going??
|
From: Donncha O C. <don...@tr...> - 2002-07-01 13:23:24
|
But I would use "session.save_path" to define a different directory for e= ach=20 site. ie.=20 /tmp/siteA /tmp/siteB If you use "safe_mode_include_dir" then each site will not get access to = the=20 other directories. Just a thought for an extra layer of protection for the user: The first time the user visits the site we set a cookie on their browser = with=20 some very random number as the key. Store the value of the key in the=20 session. Each time after that modify the key, set the cookie, and store it in the=20 session.=20 If at a later date a black-hat finds a URL then they won't be able to loa= d an=20 authenticated session because they won't have the extra cookie, or their=20 value will be incorrect. If a black-hat has compromised the system they can simply modify prepend.= php3=20 and mail that key to themselves and get in, but probably at that stage=20 they'll have access to all the login details on the db anyway. *shrug* What do you think? Donncha. On Monday 01 July 2002 13:28, Giancarlo wrote: > > > Donncha O Caoimh wrote: > > > > Take a look at this site, which I linked to from my howto last we= ek, > > > > Basically, each vhost gets its own directory, and even session na= me. > > But php4 session_name counts nothing. > If siteA and siteB store in the same dir, /tmp, > a session created by siteA with the URL > > http://www.siteA.com/i?PHPSESSID=3Dfoo > > can be accessed by siteB with, whose seesion name is 'Peppino', with: > > http://www.siteB.com/?Peppino=3Dfoo > > because 'PHPSESSID' or 'Peppino' count nothing, in PHP4 session parlanc= e. > |
