225
seCure sessIon storAge
is:value name, pipe, value type, colon, value, followed last by a semicolon, ending the
current variable definition and beginning the next variable.
A session files directory must be located outside of the web root for security reasons.
It should never be directly readable via HTML request. If the files can be read, then
account information can be leaked. If the sessions directory can be publicly listed,
then all the session IDs are exposed. Placing one of those IDs in a cookie and mak-
ing a request restores the session to that request, leaking session account information.
erefore it is important to protect both the IDs of the files, as well as the data stored
within the files.
e current session ID is retrieved by cal ...