HansH wrote:
> <phillip.s.powell@gmail.com> schreef in bericht
> news:1165360511.201238.220110@l12g2000cwl.googlegr oups.com...
> > <Directory />
> > Options -Indexes
> > </Directory>
> >
> > <Files ~ "^\.ht">
> > order allow,deny
> > deny from all
> > </Files>
> Odd you have do set this yourself, should be in httpd.conf.

That's assuming have permissions and access to httpd.conf, which I
don't :(

>
> > <Files ~ "^sess[a-zA-Z0-9\-_\.]*$">
> Try <Files ~ "^sess[a-zA-Z0-9\-_,]*$">
> See 'session.hash_bits_per_character' at
> http://www.php.net/manual/en/ref.session.php

session.has_bits_per_character is a PHP 5+ addition to php.ini; I'm
using PHP 4.3.9, sorry.

I tried your pattern, but unfortunately that also failed to match and
the session file was easily viewable via browser, which obviously you
don't want

>
> > order allow,deny
> > deny from all
> > </Files>
>
> > This is designed to prevent itself, all files beginning with "sess" and
> > the directory listing from being viewed.
> Your session.save_path in php.ini should be set _outside_ the document tree
>

That would be assuming you have the rights to do so IAPW. However, I
am designing a portable web application that will be housed in a shared
hosting platform which does not allow for us to store sessions within
session.save_path (or for that matter, have any access outside of our
chroot - can you say "chroot jail"?), nor are we allowed to even change
any of the default php.ini values via ini_set() either (I tried that,
believe me). So that left me only with the option to store sessions
witihn our chroot (actually in one case, within the document root only
as that's as far back as we're allowed to go), and since they're
"open", I need to make sure the session file contents are not viewable.


> HansH