Hi, +-------------------+ | What are sessions | +-------------------+ A session ID is required to identify people. It is passed over to the browser and then is either part of the url or is stored as a cookie. With every request the browser also sends this ID over to the server which makes is possible to see which requests came from which user. Using the IP is not reliable for identification, because many people can come over a proxy and have the same IP. Sessions are now also (mis-)used for authentication purposes. Because there is no reliable way of keeping a permanent connection to the user, a login procedure is simulated using sessions. As long as the user is "logged in", the session-ID replaces any user/password combination. Because session-IDs are difficult to predict (that's why they are so terribly long), they are considered secure. +------------------------+ | Session support in PHP | +------------------------+ Since PHP4 there is a native support for sessions, which was derived from the PHPLib. But instead of using a SQL backend to store these IDs, they chose to store them as files in /tmp. Every session is stored in a file like sess_g35g5g54gg45wg85 where "g35g5g54gg45wg85" is the actual session-ID. Someone could now easily spoof these sessions, because he now knows the IDs. He would even be able to *read* the contents of these files, because PHP very oftenly runs as module (i.e. every executed PHP script inherits the user permissions of apache), thus you only have to write a PHP script which reads out these files. +------------+ | Workaround | +------------+ I suggest to create a directory called mkdir /tmp/php_sessions/ You have to adjust the path in php.ini for this. Then chown it to apache chown www-data: php_sessions And make sure to take away "r". r means "listing a directory". Apache only has to be able to "go into it" = x = 1, and "write" = w = 2. 1 + 2 = 3, so chmod 300 php_sessions Now, although apache is able to create and read sessions, it isn't anymore possible to list the directory. The PHP-developers are informed about this, there is a discussion about various security issues in PHP-Dev. +---------+ | Credits | +---------+ I didn't find out about this myself - I just fixed it. A customer, Michel Lang, pointed it out. Kind Regards, Daniel Lorch http://daniel.lorch.cc/ -- @echo "Hello, World";
