08-10-2007, 11:46 PM
I have read that it could be possible for some one to change session varibles if you are using a shared hoast, if you leave the sessions in the defualt directory? is this correct? can i secure it by changing the directory?
i dont know much about this but on your server you can create a " _private " (or you already have one) folder and seemingly because its different from the _public (what you want the public to see) folder then the user cant access it or something like that, store it there and use the include php code it might do it but im really not the best person for that kind of stuff if im lucky ive got half of it right lol.
Im not totally sure if anyone can veiw the _private folder would be good to find out what happens.
(make sure you back things up before trying anything as im probably wrong)
ralph l mayo
08-11-2007, 06:38 AM
It's possible; it all depends on your host's configuration. Read the responses here for an explanation. (http://bugs.php.net/bug.php?id=28242) Look at your phpinfo() and see if it looks like the tmp directory is specific to your vhost, and look at the ownership and permissions of that directory. If you can't tell what's going on ask your host about it. It's marginally safer to store session data yourself in your database, where other users at least have to compromise your password or the password of a database superuser to poke around. Honestly even if it all checks out there's no legitimate expectation of privacy or security on a shared host. Consider virtual private hosting, which is getting very much cheaper lately, if you're doing anything where the consequences of having all your data exposed would be more than just annoying.