php session’s

@pelegk1Jul 25.2004

i have noticed that in PHP the session is save in the HD under the user temp folder (on winXP at least)!

is this always?or it depends the apache configuration?

and if so why when the sessions end’s the session fiels arent deleted???
beacuse its a security matter!

thnaks in advance
peleg

to post a comment

4 Comments(s) _↴

@solavarJul 25.2004 — #Well, I was shocked a couple of weeks ago when I installed a simple one-page webmail script on my home Win2K based Apache server.

The script worked superbly. Any of my few private subsribers were able to log into the system and retrieve their emails.

One unexpected drawback was that each email would have, as part of its headers, all the session data that PHP was handling. Everything was right there. Usernames, passwords, the lot.

It dawned on me that the webmail client was storing its data in the default temp directory, which coincidentally turned out to be the same folder PHP was using.

The solution, therefore, was to create a dedicated temp folder only for PHP in something like 'c:phpsessdata'. Then I edited PHP.ini's 'session save-path' entry to point to the new folder, and relative security was restored.

OK there might be other security features webhosts employ and still use the default temp folder. However, my experience has aroused the sort of concerns you've voiced.

On the question of session data being deleted after a while. Yes, this is indeed the case, I believe session data has a finite lifetime set in the configuration file.

@ShrineDesignsJul 25.2004 — #the automatic deletion on session files only occurs on unix systems, and some windows systems that NTFS or similar format table for the hard drive

i run a server on win98, i have to go to C:WINDOWSTEMP and manually delete any sess_* files, this is why it is important when you kill a session that you use:

[code=php]<?php
 session_start();
 // reverts $_SESSION to a blank array
 $_SESSION = array();
 session_destroy();
 ?>[/code]

[code=php]<?php
 session_start();
 // empty $_SESSION
 unset($_SESSION);
 session_destroy();
 ?>[/code]

@pelegk1authorJul 26.2004 — #solavar -> i agree wih you its a very very importent security issue

second

why do u do :

[code=php]unset($_SESSION); [/code]
if in the end u do :
[code=php]session_destroy(); [/code]
thnaks in advance

peleg

@ShrineDesignsJul 27.2004 — #to make sure that any sesssion data is deleted

this is an example from the php manual:

[code=php]<?php
 
 // Initialize the session.
 // If you are using session_name("something"), don't forget it now!
 session_start();
 // Unset all of the session variables.
 $_SESSION = array();
 // Finally, destroy the session.
 session_destroy();
 
 ?>[/code]

Also in #PHP _↴

PHP script refuses to load...Trying to Parse this XML ... having no luck password encryption security.

Success!

Help @pelegk1 spread the word by sharing this article on Twitter...

Tweet This

about: ({
version: 0.1.9 — BETA 5.18,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});

changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...

recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...

php session’s

4 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

php session’s

4 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

4 Comments(s) _↴

Also in #PHP _↴