ridiculous Posted March 24, 2007 Share Posted March 24, 2007 Does it matter how and where they're stored? I was reading through this tutorial and I can across a discussion on where sessions are stored. I was under the impression that this wasn't something I had to worry about... http://www.brainbell.com/tutorials/php/Where_To_Store_The_Sessions.htm Link to comment https://forums.phpfreaks.com/topic/44086-storing-sessions/ Share on other sites More sharing options...
cmgmyr Posted March 24, 2007 Share Posted March 24, 2007 it's really up to you, you can also store them in a database... Link to comment https://forums.phpfreaks.com/topic/44086-storing-sessions/#findComment-214080 Share on other sites More sharing options...
ridiculous Posted March 24, 2007 Author Share Posted March 24, 2007 Another question: What happens when your site uses sessions to allow users access to certain pages but they've disabled cookies? I see this site, for instance, has the session number stored in the address bar. Is there a more clandestine way to handle such a situation? Link to comment https://forums.phpfreaks.com/topic/44086-storing-sessions/#findComment-214082 Share on other sites More sharing options...
ridiculous Posted March 24, 2007 Author Share Posted March 24, 2007 I see this in the php manual http://www.php.net/manual/en/ref.session.php "A visitor accessing your web site is assigned a unique id, the so-called session id. This is either stored in a cookie on the user side or is propagated in the URL." Doesn't sending the session id through the address bar pose a security risk? Should and CAN this be encrypted with mcrypt? Link to comment https://forums.phpfreaks.com/topic/44086-storing-sessions/#findComment-214083 Share on other sites More sharing options...
fert Posted March 24, 2007 Share Posted March 24, 2007 Doesn't sending the session id through the address bar pose a security risk? No, because the sessions are usually stored outside of the web root directory. Link to comment https://forums.phpfreaks.com/topic/44086-storing-sessions/#findComment-214117 Share on other sites More sharing options...
wildteen88 Posted March 24, 2007 Share Posted March 24, 2007 It could cause a session hijack. However the person that hijacks your session has to be in the same room as you. Also the session id is already encrypted. I believe by default it uses a random md5 hash for the session name. Link to comment https://forums.phpfreaks.com/topic/44086-storing-sessions/#findComment-214320 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.