[redJag]

So I'm going to be starting a project which will have login sessions that allow access to a PHP front-end for an SQL database. Which type of session would be best security-wise?

As I understand it, PHP Sessions are server-side? If that's correct I think it'd be the way to go.

Other than that issue, I think I'm good. I'll be using an SSL connection throughout their session. I also plan to be very strict on what I accept for my SQL queries. Any other big security issues? I'd appreciate any suggestions.

[madmacgames]

by default PHP sessions are stored in /tmp, so the session file is accessible to anyone on the system.

I don't particularly like this, and for an application where you want the sessions secure, a better option would be to store the session in a database rather than in flat files located in /tmp.

There are also some php session config parameters you can call to change the location the sessions are store at. for example instead of the default /tmp, you could store them in /home/your_user/sessions and then if you are on a secured server where only you have access to your home dir, only you have access to the sessions (if they are outside of the www dir).

Hope that makes sense and I did not say anything incorrectly.

[redJag]

Well I'm assuming you meant /tmp is readable by all local users, which is fine by me. It's a server, so if someone has physical access to it, it's already too late, otherwise not a big deal.