Jason Becker wrote:
A@H is CentOS 3.x. CentOS 4.x has as a default value for
session.save_path /var/lib/php/session . You can change the value to
/tmp in 4.x but I think the setting in 4.x reflects the fact that
there is the potential to hijack sessions when /tmp is used.
(just want to throw out some general information about this for people
who care to know)
Strictly speaking as a web developer, not related to asterisk/AAH/AMP
stuff, basically the idea behind this is that /tmp is usually
world-readable, and that if you have multiple clients hosting domains on
a shared server, people from other domains can get session IDs by
looking in /tmp, or even getting the conents of the session by reading
those files. This is not an issue if everyone on the server is trusted
(ie, everyone with access to /tmp), assuming that users can't somehow
list or read /tmp from the webserver (such as through an unsecure
application that allows specifying arbitrary paths in the url).
Back to the AMP point of view, you really shouldn't be using your
[production] telephony server as a general hosting platform, and
certainly not hosting for 3rd parties. So this is really a non-issue
with respect to AMP/AAH, just something to keep in mind.
-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information
|
