Posted by "Richard Lynch" on 10/21/69 11:31

On Tue, November 8, 2005 3:48 pm, Tony Di Croce wrote:
> Oops!
>
> I meant SESSION[]! Thanks guys...
>
> So then the question becomes, is storing stuff in SESSION[] insecure?
> Is
> their any point to encrypting what a store in SESSION[]?

On a shared server, this would be a really Good Idea (tm) if other
users co-hosted on that server can read your session files.

On a dedicated server, it could be considered a Defense in Depth
technique, so that if somebody manages to get logged in, they can't as
quickly and easily start snagging PHP session data... If that's what
they were after in the first place.

You have to weigh benefits and risks of what you are storing as well.
If all you store about me is that I want "bluesilver" for my Forum
skin, well, whoop-de-doo if somebody else reads that.

If you're storing my PASSWORD in there, and I'm probably using the
same damn stupid password for all these thousand forum logins, then,
yeah, maybe you oughta protect that pretty hard.

PS
Still want to be careful about dumping out $_SESSION in all its glory.

--
Like Music?
http://l-i-e.com/artists.htm

[Back to original message]