[PHP] session.save_path is a big security hole!

Theres absolutely no control over session.save_path parameter in php. By setting it to every directory he wants, every user can: 1. (!!!) Absolutely easily generate new sessions with any content for every site on server. 2. Delete other users sessions by setting gc to 100 and probably legal files

Re: [PHP] session.save_path is a big security hole!

Curt Zirzow [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] * Thus wrote Rx ([EMAIL PROTECTED]): Theres absolutely no control over session.save_path parameter in php. By setting it to every directory he wants, every user can: You can set the value with php_admin_value save_path

Re: [PHP] session.save_path is a big security hole!

Raditha Dissanayake [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] M, very interesting thread, thanx for starting this. Good comments curt. 1. (!!!) Absolutely easily generate new sessions with any content for every site on server. It's because of the 'suspect'