Re: Session contamination?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Yes, Chuck is correct here. The security issue I raised has to do with multiple users on the same shared server, which is how some hosting companies manage their clients. Each user may have a different home directory and has separation from other users, however, usually the same /tmp directory is used to store all the session cookies for all the users on the server. By running a simple script in your area you can read all the sessions managed by the server including sessions generated by other users. By moving the session cookies to a directory within your own user area it may make them more difficult to find, but it does not guarantee security as Chuck points out. This is discussed at [http://php.net/manual/en/ ref.session.php] as pointed out by Jochem.

- Ben

On Apr 20, 2006, at 7:22 PM, Richard Lynch wrote:

On Thu, April 20, 2006 1:46 pm, Ben Liu wrote:
After a bit more research, I think I understand why Jochem recommends
use of session_save_path() rather than just naming each session
differently. The former method provides more security as you can set
the location where session cookies are stored. This will help prevent
an attacker from gaining access to session information and then using
it to gain inappropriate access to the application the session was
created for or even other applications running on the same shared
server. Anyway, I think that's why.

::Possible False Sense Of Security Alert::

If a Bad Guy can read the session data, moving it to a different
directory is probably not going to help, really...

Unless you are running with different Usernames for each client on
your shared server, using FastCGI + suexec or some similar method, the
cookie files are STILL just as readable by the same Bad Guys, using
the same methods.  They just have to change their to:
<?php $path = "/other/path/to/other/cookies";?>
before they start their damage.

There may well be other GREAT reasons for using a different save path,
or a different path for the Cookie, or session_name over each other,
but I don't think Security is the reason behind any of the choices.

I'd personally use ini_set as the last choice because it's remotely
possible that the setting can't be changed from within a script, as a
few are like that -- Or, worse, that they can be changed today, but
in, say PHP 6 or PHP 7, they won't be for some obscure reason we
cannot predict today.

session_name() seems less likely to just disappear completely as a
feature than a "minor" change to a php.ini setting and where it is
allowed.

But that's just my paranoid logic. :-)

--
Like Music?
http://l-i-e.com/artists.htm



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux