Is session really so safe?

Forum Moderators: coopster

Message Too Old, No Replies

Is session really so safe?

mcibor

7:46 pm on Nov 6, 2004 (gmt 0)

I'm doing a second webpage with login and pass and have a security problem with storing information about the user. First I have done without regarding php session, but now I would like to do it. However I heard about #28242 and #28932 bugs.

I'm working on a shared server, so the bugs apply to me.
For now to ensure safety I was generating for a specific user a random pass and was storing it in a cookie (on client's side, valid for 1 hour) and in database on server side. At every page change I was reading the pass from the cookie, comparing it with the one stored in a database and then updating the cookie for an hour. When logging out only database was updated.

Which is the better option - session still, or the method devised above? The pass generated was random numbers and letters, random length ranging from 10 to 255, case sensitive.

Thnx for any advise.
If needed I can present the source.

DrDoc

8:18 pm on Nov 6, 2004 (gmt 0)

You can always configure the session information to be stored in a database isntead of the default /tmp directory as a text file. That increases security substantially.

ergophobe

10:46 pm on Nov 6, 2004 (gmt 0)

For that matter, storing it anywhere but the /tmp file will improve security.

Tom

mincklerstraat

2:01 am on Nov 7, 2004 (gmt 0)

ergophobe's idea here can be depolyed pretty easily.

create a new directory, figure out its path from root, and use

session_save_path()

[be2.php.net] (before

session_start()

is called) and you've moved your session storage to your own personal sessions directory.

mcibor

9:22 pm on Nov 7, 2004 (gmt 0)

Thanks for help!