Check out Scrivo

Do you want to try out Scrivo? Then here's a demo for you that does not just get your feet wet but lets you plunge right in.

Contact us

For more information, please contact us. We're happy to help you out!

Next Sep 18 Previous

Item 547209

PHP sessions functions are just a convenient way to generate a session identifier, set it in a cookie (or pass it along with every POST or GET request) and link it to some session data somewhere on the server. Convenience is all right, but it might obscure some important details. Given that session data is likely to contain sensitive information, what can you tell us about session data storage.

Choose all that apply:

A. PHP session data is stored in server memory and is managed by PHP: without the session id it is not possible to get to the data. B. By default PHP will store it's session data in the system's temporary directory where it might be read by other users and scripts unless safe_mode is enabled. C. The location of the session data can be set through the session.save_path ini setting which can be set anywhere (script, php.ini, .htaccess etc.) or alternatively per script through the session_save_path() function. D. By using session_set_save_handler() you can provide your own session data handler. That way you can store session data any way you like.

Answer

PHP session data is not written to server memory by PHP. You can get PHP to store session data into memory but you'll have to supply PHP the methods to do so yourself. Therefore answer A is false.

By default PHP stores it's session data in the system's temporary directory and this might be read by other users and script. That part of the answer is correct, and this is a severe security risk on shared hosting environments. Enabling safe_mode will solve this security problem but not by providing a solution for saver session data storage: it will just break it. If you turn on save_mode you'll have to specify a new session data directory that is accessible for your script to get sessions working again. So answer B is not correct because it is not complete.

Answer C is correct: you can set the session data directory to any location you please and from anywhere you like. Note that if you do this from your script by using ini_set("session.save_path, "/my/path") or session_save_path("/my/path") you'll need to do that before you call session_start().

And those are not your only options. By default PHP uses files for session data storage but through your ini settings this setting can be changed to other session data handlers. Examples are sqlite and memchaced provided these extension are installed. And if that doesn't suit your needs you can write your own session data handler and register it using session_set_save_handler(). So answer D is correct too.