Open aaronkaplan opened 9 years ago
tanzer
commented
9 years ago I don't see the issue. The session files in /tmp can only be accessed by the user that runs the web-app. If somebody manages to impersonate that user, then it doesn't matter where the session info is stored: /tmp and database are both accessible in that case.
equinox0815
commented
9 years ago I might not be a direct security concern but i consider this at least dangerous. One little error while server maintenance can potentially lead to a mayor security problem. Also any user can fill up /tmp which would lead to a denial of service.
As discussed in the conf call 2015/3/15, the session files stored in /tmp are a security concern.