Storing Sessions...

[ridiculous]

Does it matter how and where they're stored?

 

 

I was reading through this tutorial and I can across a discussion on where sessions are stored. I was under the impression that this wasn't something I had to worry about...

 

 

http://www.brainbell.com/tutorials/php/Where_To_Store_The_Sessions.htm

[cmgmyr]

it's really up to you, you can also store them in a database...

[ridiculous]

Another question:

 

What happens when your site uses sessions to allow users access to certain pages but they've disabled cookies?

 

I see this site, for instance, has the session number stored in the address bar. Is there a more clandestine way to handle such a situation?

[ridiculous]

I see this in the php manual http://www.php.net/manual/en/ref.session.php

 

 

"A visitor accessing your web site is assigned a unique id, the so-called session id. This is either stored in a cookie on the user side or is propagated in the URL."

 

 

 

Doesn't sending the session id through the address bar pose a security risk?

 

Should and CAN this be encrypted with mcrypt?

[fert]

Doesn't sending the session id through the address bar pose a security risk? 

No, because the sessions are usually stored outside of the web root directory.

[wildteen88]

It could cause a session hijack. However the person that hijacks your session has to be in the same room as you.

 

Also the session id is already encrypted. I believe by default it uses a random md5 hash for the session name.