phillip.s.powell@gmail.com wrote:
> HansH wrote:
> > <phillip.s.powell@gmail.com> schreef in bericht
> > news:1165529250.835286.151950@l12g2000cwl.googlegr oups.com...
> > > What I tried doing was this, out of desparation:
> > >
> > > <Files>
> > > order allow,deny
> > > deny from all
> > > </Files>
> > What files are to be denied without specifying a filename ??
> > Test for me
> > <Files ~ ".">
>
> Sorry I tried that and the session files are still viewable via
> browser:
>
> <Files ~ ".">
> order allow,deny
> deny from all
> </Files>
>
> >
> > > And even then all session files were still viewable. That's when I
> > > concluded perhaps it is due to the nature of how PHP names its session
> > > files (no PHP session file has any extension, just a name),
> > Thinking name-dot-extention ... is a MicroSoft doctrine.
> >
> >
> > BTW your sess* files are at the document_root ...???
> > If not, try
> > <Location /<folder>/>
> > order allow,deny
> > deny from all
> >
>
> Sorry that also failed; the session files are easily viewable via
> browser :(
>
> <Location /path/to/session/files>
> order allow,deny
> deny from all
> </Location>
>
>
> > HansH
> > </Location>

since were talking silly land solutions here for a silly setup, why not
just use a rewrite for all files
starting sess_ and ending with 32 chars
the rewrite could rewrite to a "dev/null" script.

why not use allow,deny and allow for localhost no one else.

or basic auth, for all but localhost.

i know it shouldnt be needed, but I only mention it cos everyones going
for the regular solutions and they arent working, meanwhile your users
are unprotected, and maybe your apps, and server!