CodingForums.com - View Single Post

Coyote6 · 09-15-2009, 06:11 PM

I would recommend not just moving the location of the sessions, but rather storing them in a database and not in a file. No matter where you tell php to store the session in a file it can easily be read if an attacker can place a script on the server and access it through the web. Also make sure to encode all session data so that it cannot easily be read.

But not a bad list to start with.

09-15-2009, 06:11 PM	PM User \| #14
Coyote6 Regular Coder Join Date: May 2009 Location: Moore, OK Posts: 277 Thanks: 10 Thanked 41 Times in 41 Posts	I would recommend not just moving the location of the sessions, but rather storing them in a database and not in a file. No matter where you tell php to store the session in a file it can easily be read if an attacker can place a script on the server and access it through the web. Also make sure to encode all session data so that it cannot easily be read. But not a bad list to start with.