Jump to content
Killersites Forums

Session Directory Security Fundamentals


Recommended Posts

Hi All,

 

I've come across some PHP website-building literature that stated:

 

"For sensitive data being stored, but not stored in a database, change your sessions directory, and use the Web root directory's parent folder"

 

I understand that no one here is the author, but could someone take a guess at and explain what this means? I'm not sure what a sessions directory is.

 

When it refers to "sessions", is it talking about session variables that we can create?... like if I wanted to store the logged-in user's first name in $_SESSION['userFirstName']?

 

Is temporarily storing potentially sensitive data in session variables not secure?

 

I'm pretty new at this, so please use plenty of laymen terms :)

 

Thank you so much!

Link to post
Share on other sites

In a nutshell, you can either store sensitive data to your server directory but you would need an method of protecting that data by placing the folder outside of your domain name but within your host's file structure...or store it on a MySQL database which is separate from hosted files. Preferred method is MySQL database.

 

The folder mentioned above can't be viewed via FTP but can be viewed via the host control panel. Login to your control panel

and you should see a folder structure for the domain. The right place to store your data is something like this:

 

Correct:

/www/_data/

 

INCORRECT:

/www/mydomain.com/_data/

 

If you don't see /www/ or something like that then you need to check with your host.

 

If you are going to allow users to store data then you may need need to install a SSL.

 

Note: I would not be a happy camper if my personal/sensitive info was stored unsecured.

Edited by Eddie
Link to post
Share on other sites

Thanks for your input Eddie.

 

Let's say your website files & folders are supposed to go inside this made-up directory/folder:

 

123.456.78.90/public_html (this is kind of what the directory looks like when I'm in my c-panel anyways)

 

Are you saying that I should put most of my website files in this public_html folder, but put data I want to protect into a different folder which is on the same level as the public_html folder? Like here:

 

123.456.78.90/_data

 

If I'm correct, would you put files such as config files here (which may contain password info)?

 

Question #2:

 

How does this relate to session info (like session variables that I don't want hackers to get their hands on)?

Link to post
Share on other sites

I believe you want to store data for say like users' name and password which requires them to re-access that info. Then yes, put the folder in the root directory. Ideally, saving sensitive data should be stored on a database.

 

Maybe Ben here might have more insight on this or resources even since he has a much deeper knowledge in PHP.

 

Or, you can install Wordpress and look how they able to store secure data (using MySQL).

Edited by Eddie
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...