Page 1 of 1

How can I make my session variables more secure?

Posted: Tue Jun 18, 2002 2:12 pm
by CaptainN
I read somewhere that the session vars are stored in a text file in the tmp directory on the server and that anyone that uses the server (it's a shared server) can access the files in that directory (and directories in my root even).

How can I move the session vars to a directory within my websites root and make it secure from both web visitors (realms for visitors, just need to make it secure from others on the server)?

I've already found a solution that uses mysql (sessions with adodb 2.0.0), so I could probably figure out how to write a session handler by looking at that and the php.net sight (I can't use the mysql handler becuase the mysql server is overburdened at the moment), so I guess all I really need to know is how to secure a folder on the server from other users.

Any help is greatly appreciated.

Posted: Wed Jun 19, 2002 12:27 am
by Zmodem
I assume your using win2k or NT or XP right?

I know NT and win2k, won't touch XP.

right click on the directory, and click properties

Click on the security tab

In that section, you can specify which users have which rights. so on and so forth. pretty self-explanitory

Posted: Wed Jun 19, 2002 12:33 pm
by CaptainN
I use Windows XP for testing but then upload to a Linux based server running the cgi version of php. I would need to change the location of the session vars using a function (like set_ini()) and use a htaccess file to protect the directory if it is possible.

thanks.