I was trying to understand how sessions work in PHP and found that session data is by default stored in the file system. In a shared hosting environment, session data can be read by PHP scripts written by any user. How can this be prevented ?
+5
A:
You can override the session save handler for your script to use something other than the filesystem, such as a database or memcache. Here is a detailed implementation: http://phpsec.org/projects/guide/5.html
Mike Sherov
2010-07-14 12:09:01
+1
A:
Depends on the level of access you have to the php.ini file - if you're on a Shared Hosting environment which runs suPHP and allows you to have your own php.ini file (for instance) then you can simply set the session.save_path to a path like ~/tmp instead of /tmp which is usually shared.
To begin with though, I don't think that you actually CAN read php session data from other applications. I believe it's something rather unique to the person viewing it.
Finally php Session data is not solely file system saved only. It can also be setup to save in a cookie on the user's machine or you can setup php session data to be stored in a database.
Marco Ceppi
2010-07-14 12:10:16
Unfortunately, session data for other sessions is easy to read from the filesystem: $sessionFileDirectory = ini_get('session.save_path');echo '<H1>'.$sessionFileDirectory.'</H1>';foreach (glob('/xampp/tmp/sess_*') as $sessionFileName) { echo '<H3>'.$sessionFileName.'</H3>'; $serializedSessionData = file_get_contents($sessionFileName); var_dump($serializedSessionData); echo '<hr />';}and a custom session handler is the best solution to this problem
Mark Baker
2010-07-14 12:28:41
I suppose I set up my default systems more securely because I can't emulate that on my setup. files in tmp/ are owned by the account which php is running under and are saved with 0640 so sess_xxx is owned by "marco" "marco" while others are owned by "user" "user" for instance. suPHP really helps resolve all those pesky nobody issues.
Marco Ceppi
2010-07-14 14:11:06
+1
A:
Write your own SESSION wrapper.
For example CodeIgniter's session library doe's not depend on PHP's native one and it's more secure:
Note: The Session class does not utilize native PHP sessions. It generates its own session data, offering more flexibility for developers.
Otar
2010-07-14 12:14:51
+1
A:
You can use session_save_path() to change the session data directory to one that isn't shared.
Hammerite
2010-07-14 12:18:17
@Hammerite, correct me if I'm wrong, but doesn't whatever you change the directory to still need to be read and writeable by the user PHP runs as and therefore still technically readable by other users of the shared hosting?
Mike Sherov
2010-07-14 12:43:27
Shared hosting usually locks you into being able to read only directories and files located within your account.
John Conde
2010-07-14 13:11:38
This is true. But if it's true then it's also true that any other directory (your webroot, directories with scripts in, and so on) will also be read- and writable by other users. Unless the other users are all able to exercise control over your site (and each others'), we must conclude that any sensible hosting provider has implemented a way of limiting the control a user has over directories owned by another user.
Hammerite
2010-07-14 13:13:04
+1
A:
Use session_save_path() and change your session folder like "/htdocs/storage/sessions". Now sessions only saved to your given path.
Osman Üngür
2010-07-14 12:31:07