Member Avatar for genieuk

Hi,

I hope someone can help me.

My site been using cookies and i have decided to scrap cookies after finding to many security holes which i myself was able to hack in testing.

I have looked online and found nothing that is want i am after even my php books does not mention anything about session paths only about sessions itself.

Basically i was reading the session path can be changed, i am on shared web hosting server and obviously due to security pitfalls i want to change the session path.

I do not have access to the php.ini file so i looked up and noticed i could use session_save_path.

Thing is i cannot find how i actually use it,

1) Basically how do i tell it where the new session path is?

2) Do i need to use the session path on every page that uses sessions so it knows where to store the sessions?

3) Also would i have to specify the session path before the session_start(); ?

4) How would i write the directory to the session path? something like /home/sites/mydomain.com/ ?

5) Should i store the session path folder outside of the public_html area? and if so what should the CHMOD be? my host does not support CHMOD 777 but supports CHMOD 755.

6) How do i get around starting a session after header info etc been sent as sometimes i think i am going to need to send afterwards?

Sorry for all the questions, i have looked everywhere, in my books, google and php.net and cannot find answers to my questions.

Thanks
Mat

  • 2 Contributors
  • 4 Replies
  • 240 Views
  • 19 Hours Discussion Span
  • Latest Post Latest Post by genieuk

Recommended Answers

All 4 Replies

Member Avatar for somedude3488

http://php.net/manual/en/function.session-save-path.php

You need specify a new path using an absolute path. It needs to be done on every page before session_start(). It would be pointless to store them inside the public_html as they would be public for everyone to see. That would be a bigger risk than using the default temp directory. 755 chmod would be fine. ob_start() would help you in sending headers after data has been outputted.

Edited by somedude3488 because: n/a
Member Avatar for genieuk

Hi,

Thanks Keith,

All sorted, i am rather enjoying using sessions much more than cookies,

I have striped dozens of lines of code out my site and very little queries done now as when user details are verified and logs in i get them to store the info that i need about user in session so i can retrieve when i need across any webpage that i display want there information to be etc.

So happy i changed it and thanks for your help, worked first time

Delighted!

Thanks
Mat

Member Avatar for somedude3488

You realize sessions require cookies.

Member Avatar for genieuk

Hi Keith,

Yes i do realise that, i worded it wrong in my last post.

What i meant was it is more secure, specially after reading about security with sessions etc.

Works great.

Thanks
Mat

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.