Jump to content
Larry Ullman's Book Forums

Recommended Posts

Hi All


I'm on page 41 (in Security Fundamentals).


Referring to:

"For sensitive data being stored, but not stored in a database, change your sessions directory, and use the Web root directory's parent folder (see Figure 2.5)."


Could someone elaborate on what this means?  I'm not sure what a sessions directory is.


When it refers to "sessions", is it talking about session variables that we can create?... like if I wanted to store the logged-in users first name in $_SESSION['userFirstName']?


Is temporarily storing potentially sensitive data in session variables not secure?


I'm pretty new at this, so please use plenty of laymen terms :)


Thank you so much.


Link to comment
Share on other sites

Let me clear that up for you. Although let me also add that if you are pretty new at this, the e-commerce book may be a bit advanced for you. It assumes complete comfort with PHP & MySQL. In any case...


When you store data in a session variable, PHP stores that in a text file on the server. This is how the data persists from one page request to another. By default, all session data is stored in a public, writable directory. This means that on a shared hosting system, every user on that system could have access to all the session data for all the other sites on the same server. Which is bad. 


My suggestion there is for better security, you change where PHP stores those text files so that only your site can access them (in theory).

Link to comment
Share on other sites


  • Create New...