By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
438,664 Members | 1,643 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 438,664 IT Pros & Developers. It's quick & easy.

Tamper-proof sessions

P: n/a
Hi all,

I want some data generated and stored at authentication which will be
accessible throughout a (web) session. However I want better security
controls than just storing it within the session - anyone who can write a
PHP script on the server can then modify the contents.

There doesn't seem to be any easy way of seperating the privilege (so e.g. a
setuid program might write the data to a file, not writable by the
webserver user). I don't want to have to run a second webserver as a
different user just to acheive this.

Anybody any ideas?

TIA,

Colin
Jul 17 '05 #1
Share this Question
Share on Google+
1 Reply


P: n/a
"Colin McKinnon" <co**************@andthis.mms3.com> wrote in message
news:cb*******************@news.demon.co.uk...
Hi all,

I want some data generated and stored at authentication which will be
accessible throughout a (web) session. However I want better security
controls than just storing it within the session - anyone who can write a
PHP script on the server can then modify the contents.

There doesn't seem to be any easy way of seperating the privilege (so e.g. a setuid program might write the data to a file, not writable by the
webserver user). I don't want to have to run a second webserver as a
different user just to acheive this.

Anybody any ideas?


That's some of the instances where storing the session data in the database
makes sense. Encrypting the session data is another option (provided that
you have a way of protecting the key).

See help on session_set_save_handler() for more info.
Jul 17 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.