I don't think the session.save_path should matter much so long as you're careful to configure your server correctly and set a .htaccess in the place where the sessions are saved so that they can not be accessed. I'm sure it would not be a bad idea to change the default session name, although so long as they're stored on your own server I suspect it won't matter too much. Admittedly, I do not know much about session vulnerabilities or spoofs. Since we're on the topic, though, do you plan to use cookies at all? I know that since cookies are stored on the host computer, there are several possible vulnerabilities surrounding them.
Continuing good luck,
OmniUni
Securing My website even more than it is
Moderator: General Moderators
-
QuickSnail
- Forum Commoner
- Posts: 46
- Joined: Fri Dec 21, 2007 11:13 am
Re: Securing My website even more than it is
It's set up to also use cookies. It might be a good idea to not use them That is probably a good Idea.
The current session.save_path is /tmp.
Sure I should .htaccess that folder?
The current session.save_path is /tmp.
Sure I should .htaccess that folder?