Page 2 of 2

Re: Securing My website even more than it is

Posted: Fri Sep 05, 2008 9:58 pm
by omniuni
I don't think the session.save_path should matter much so long as you're careful to configure your server correctly and set a .htaccess in the place where the sessions are saved so that they can not be accessed. I'm sure it would not be a bad idea to change the default session name, although so long as they're stored on your own server I suspect it won't matter too much. Admittedly, I do not know much about session vulnerabilities or spoofs. Since we're on the topic, though, do you plan to use cookies at all? I know that since cookies are stored on the host computer, there are several possible vulnerabilities surrounding them.

Continuing good luck,
OmniUni

Re: Securing My website even more than it is

Posted: Sat Sep 06, 2008 3:02 pm
by QuickSnail
It's set up to also use cookies. It might be a good idea to not use them That is probably a good Idea.
The current session.save_path is /tmp.
Sure I should .htaccess that folder?