Garvin Hicking wrote:
Hi!
(I can only agree to what Michal said - it's only not implemented because nobody got down to do it)
If you're going to implement this, do not forget that sessions should work also without cookies enabled.
There is also a problem about which Marc and I talked in the past. We should not store sensitive information like passwords in sessions, as usually all session data can be accessed from untrusted users on the same webserver, as session files are readable for everyone usually.
securing session data/handling is part of the system not of the application (like some days ago someone said window hijacking is part of the browser not the app)
even with open_basedir disabled, to open a file from the tmp dir you need the exact name, as normaly listing dir contents is not allowed
and guessing the right session id is nearly impossible:
--- ; Select a hash function ; 0: MD5 (128 bits) ; 1: SHA-1 (160 bits) session.hash_function = 0
; Define how many bits are stored in each character when converting ; the binary hash data to something readable. ; ; 4 bits: 0-9, a-f ; 5 bits: 0-9, a-v ; 6 bits: 0-9, a-z, A-Z, "-", "," session.hash_bits_per_character = 5 ---
Also we need to think about what bad can happen when someone hijacks your session id, or uses session fixation.
authentication information does not require to be stored in the session! authentication system can stay as it is!