[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [phpGroupWare-developers] list sessions
|
From: |
Sigurd Nes |
|
Subject: |
Re: [phpGroupWare-developers] list sessions |
|
Date: |
Mon, 14 Jul 2008 19:46:50 +0200 |
|
User-agent: |
Thunderbird 2.0.0.12 (X11/20080305) |
Dave Hall wrote:
> On Sun, 2008-07-13 at 23:14 +0200, Sigurd Nes wrote:
>> Hi all,
>>
>> The new session handler in trunk have all necessary meta-data about the
>> session
>> embedded in the session itself.
>>
>> If suhosin - the Hardened-PHP Project is enabled - the session data is
>> encrypted
>> and the list sessions feature can not be used.
>>
>> I think the list session is useful for tracking users in case of remote
>> problem
>> solving.
>>
>> How about re-enabling the meta information un-encrypted outside the session
>> data
>> so it is available to the list session ?
>>
>> This also affects the count of current users.
>
> Security always comes at a cost.
>
> If people really need this functionality it can be documented and those
> users can either disable suhosin or use db sessions. I fail to see what
> benefit it brings for the overhead involved.
Only choice is to disable suhosin as db-sessions are encrypted as well.
To have the (old) fields as lid, action and logintime is very cheap - don't
think it is noticeable at all as it is only accessed twice per page view.
>
> btw you can get the current session count by using a unique path for
> storing the session files.
>
Regards
Sigurd