Jump to content
Larry Ullman's Book Forums

Recommended Posts

Hi All

 

I'm on page 41 (in Security Fundamentals).

 

Referring to:

"For sensitive data being stored, but not stored in a database, change your sessions directory, and use the Web root directory's parent folder (see Figure 2.5)."

 

Could someone elaborate on what this means?  I'm not sure what a sessions directory is.

 

When it refers to "sessions", is it talking about session variables that we can create?... like if I wanted to store the logged-in users first name in $_SESSION['userFirstName']?

 

Is temporarily storing potentially sensitive data in session variables not secure?

 

I'm pretty new at this, so please use plenty of laymen terms :)

 

Thank you so much.

 

Link to post
Share on other sites

Let me clear that up for you. Although let me also add that if you are pretty new at this, the e-commerce book may be a bit advanced for you. It assumes complete comfort with PHP & MySQL. In any case...

 

When you store data in a session variable, PHP stores that in a text file on the server. This is how the data persists from one page request to another. By default, all session data is stored in a public, writable directory. This means that on a shared hosting system, every user on that system could have access to all the session data for all the other sites on the same server. Which is bad. 

 

My suggestion there is for better security, you change where PHP stores those text files so that only your site can access them (in theory).

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...