[ciapug] Securing session variables
David Champion
ciapug@cialug.org
Tue, 18 Nov 2003 11:42:02 -0600
Lathrop Preston wrote:
> Unless someone gets access to the server and places a file to read out
> the session contents (at which point session/no-session is not an issue
> any more)
>
> there really is no way for someone un-authorized to access session
> contents.
This could be an issue on a multi-user / multi-use server. On the system
I checked (Mandrake 9.1) PHP's defaults are set to write the session
data to /tmp and make it rw for only the "apache" user.
If those were to be readable by other users, they could dig thru the
session data and try to find useful data, like usernames and passwords.
IMHO you should never store sensitive data in sessions or cookies. If
you have to, at least make a hash or something besides plain text.
-dc