--- anders thoresson <[EMAIL PROTECTED]> wrote: > In the ini-files for my php-projects, I store various settings. > Two of them is username and password for my mysql-connections. > > Is it safe to load these two into session variables when a user logs > in to my application?
For the most part, yes, it is fine. Because session variables are maintained on the server, many risks are not a concern. However, there are some things to consider. Where is session data stored? If you are using the default location /tmp and are on a shared server, session data is pretty easy to access by others who share your server. Depending on how the server and PHP is configured, they may be able to browse your home directory as well, so you might be out of luck. :-) Some have suggested setting such things in the VirtualHost directive of Apache, thereby creating environment variables. This might be easier to hide from others on the server. If it's a dedicated server, there is much less to worry about. > What I don't understand, and hence the questions, is wether session > variables are accessible by my website's visitors, or just to the > php-scripts on the server. Session variables, barring a compromise of your server, are only available to users as you make them available. So, as long as your code never outputs the value you wish to keep hidden, you'll be fine. Hope that helps. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php