Changing Session Path?

Question

genieuk 0 Junior Poster

15 Years Ago

Hi,

I hope someone can help me.

My site been using cookies and i have decided to scrap cookies after finding to many security holes which i myself was able to hack in testing.

I have looked online and found nothing that is want i am after even my php books does not mention anything about session paths only about sessions itself.

Basically i was reading the session path can be changed, i am on shared web hosting server and obviously due to security pitfalls i want to change the session path.

I do not have access to the php.ini file so i looked up and noticed i could use session_save_path.

Thing is i cannot find how i actually use it,

1) Basically how do i tell it where the new session path is?

2) Do i need to use the session path on every page that uses sessions so it knows where to store the sessions?

3) Also would i have to specify the session path before the session_start(); ?

4) How would i write the directory to the session path? something like /home/sites/mydomain.com/ ?

5) Should i store the session path folder outside of the public_html area? and if so what should the CHMOD be? my host does not support CHMOD 777 but supports CHMOD 755.

6) How do i get around starting a session after header info etc been sent as sometimes i think i am going to need to send afterwards?

Sorry for all the questions, i have looked everywhere, in my books, google and php.net and cannot find answers to my questions.

Thanks
Mat

php

2 Contributors
4 Replies
241 Views
19 Hours Discussion Span
Latest Post 15 Years Ago Latest Post by genieuk

somedude3488 228 Nearly a Posting Virtuoso

15 Years Ago

http://php.net/manual/en/function.session-save-path.php

You need specify a new path using an absolute path. It needs to be done on every page before session_start(). It would be pointless to store them inside the public_html as they would be public for everyone to see. That would be a bigger risk than using the default temp directory. 755 chmod would be fine. ob_start() would help you in sending headers after data has been outputted.

Edited 15 Years Ago by somedude3488 because: n/a

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

genieuk 0 Junior Poster · Answer 1 · 2009-10-12T21:16:11+00:00

Hi,

Thanks Keith,

All sorted, i am rather enjoying using sessions much more than cookies,

I have striped dozens of lines of code out my site and very little queries done now as when user details are verified and logs in i get them to store the info that i need about user in session so i can retrieve when i need across any webpage that i display want there information to be etc.

So happy i changed it and thanks for your help, worked first time

Delighted!

Thanks
Mat

somedude3488 228 Nearly a Posting Virtuoso · Answer 2 · 2009-10-13T04:56:18+00:00

somedude3488 228 Nearly a Posting Virtuoso

15 Years Ago

You realize sessions require cookies.

genieuk 0 Junior Poster · Answer 3 · 2009-10-13T06:32:19+00:00

Hi Keith,

Yes i do realise that, i worded it wrong in my last post.

What i meant was it is more secure, specially after reading about security with sessions etc.

Works great.

Thanks
Mat