tag 653169 security thanks On Tue, Dec 27, 2011 at 6:10 PM, Christoph Anton Mitterer wrote: > On Tue, 2011-12-27 at 18:08 -0500, Michael Gilbert wrote: >> How is /var any more secure than /tmp? I'm not really familiar with >> session.save_path, but if it does store sensitive information at any >> location, then that should be protected via appropriate file >> permissions. > http://www.php.net/manual/en/session.configuration.php#ini.session.save-path
ok, you're quite right that this is an exposure, and it is indeed solvable by moving to /var/lib/php5 since that dir has the user and group readable flags unset. best wishes, mike -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
