In fact, I advised Aurthur not to store exactly that (credit card
information) in sessions for this reason - but I also think there are
few things that are as sensitive as credit card information, passwords,
and social security numbers.
- Trevor
On 9/23/10 2:24 PM, Ryan Lane wrote:
As far as I
know, yes. MediaWiki sets a session cookie with an ID that
uniquely identifies the session. The session data itself is stored in
some session storage (by default we let PHP handle it, on WMF we stick
it in memcached, I believe). So unless there's some ridiculous
vulnerability allowing people to obtain the value of arbitrary keys in
$_SESSION, you should be fine AFAIK.
The contents of that session on the server are unencrypted, correct?
Depending on what the secret is, he may or may not want to use it. For
instance, that is probably a terrible place to put credit card numbers
temporarily.
-- Ryan Lane
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l