I was trying to understand how sessions work in PHP and found that session data is by default stored in the file system. In a shared hosting environment, session data can be read by PHP scripts written by any user. How can this be prevented ?
Saving session data securely in PHP
It is possible to specify different save paths per virtual host. So it is not necessarily true that every user has access to that directory. –
Boughton
@Boughton True, with one caveat -- if PHP is running with the uid of the webserver, there's nothing you can do to prevent virtual host a from accessing virtual host b session data. –
Py
@Artefacto, I agree. I believe that under shared hosting, PHP still runs as the same user for each hosting account. This is the built in security flaw that only overriding the file based handler can cure. Right? –
Flashgun
@Mike It depends, but many do run under the web server uid. Overriding the file based handler won't help you much there, you can still read the other user script and fetch the data the way he does. –
Py
@Artefacto, but he can only read the other user script in the way the other user script is intended to work. –
Flashgun
@Mike "Intended to work"? What do you mean? He can read the source and he can do exactly the same thing in his scripts, since he has filesystem level permission to read the files (if the session's stored in a database it's even simpler; he only has to fetch the password). The only thing that could possibly get in the way would be open_basedir, but that can be bypassed. –
Py
@Artefacto, I see. He can use PHP to read the contents of the other PHP file without it being in the context of a browser. So then no matter what he does, if an attacker was able to guess the location of certain files, there is no protection, because there is no distinction between him running PHP, and the attacker running PHP. I guess then that the only way to secure this is to make sure that your hosting company has PHP run as a different user for each hosting account? –
Flashgun
@Mike That's correct. Better yet, each customer on its own VM. Some hosting companies provide this for 5$/month. –
Py
You can override the session save handler for your script to use something other than the filesystem, such as a database or memcache. Here is a detailed implementation: http://phpsec.org/projects/guide/5.html
Depends on the level of access you have to the php.ini file - if you're on a Shared Hosting environment which runs suPHP and allows you to have your own php.ini file (for instance) then you can simply set the session.save_path to a path like ~/tmp instead of /tmp which is usually shared.
To begin with though, I don't think that you actually CAN read php session data from other applications. I believe it's something rather unique to the person viewing it.
Finally php Session data is not solely file system saved only. It can also be setup to save in a cookie on the user's machine or you can setup php session data to be stored in a database.
Unfortunately, session data for other sessions is easy to read from the filesystem: $sessionFileDirectory = ini_get('session.save_path'); echo '<H1>'.$sessionFileDirectory.'</H1>'; foreach (glob('/xampp/tmp/sess_*') as $sessionFileName) { echo '<H3>'.$sessionFileName.'</H3>'; $serializedSessionData = file_get_contents($sessionFileName); var_dump($serializedSessionData); echo '<hr />'; } and a custom session handler is the best solution to this problem –
Glottis
I suppose I set up my default systems more securely because I can't emulate that on my setup. files in tmp/ are owned by the account which php is running under and are saved with 0640 so sess_xxx is owned by "marco" "marco" while others are owned by "user" "user" for instance. suPHP really helps resolve all those pesky nobody issues. –
Bianchi
Write your own SESSION wrapper.
For example CodeIgniter's session library doe's not depend on PHP's native one and it's more secure:
Note: The Session class does not utilize native PHP sessions. It generates its own session data, offering more flexibility for developers.
You can use session_save_path() to change the session data directory to one that isn't shared.
correct me if I'm wrong, but doesn't whatever you change the directory to still need to be read and writeable by the user PHP runs as and therefore still technically readable by other users of the shared hosting? –
Flashgun
Shared hosting usually locks you into being able to read only directories and files located within your account. –
Dysphemism
This is true. But if it's true then it's also true that any other directory (your webroot, directories with scripts in, and so on) will also be read- and writable by other users. Unless the other users are all able to exercise control over your site (and each others'), we must conclude that any sensible hosting provider has implemented a way of limiting the control a user has over directories owned by another user. –
Scornik
And that's why they invented open_basedir –
Surfboarding
Use session_save_path() and change your session folder like "/htdocs/storage/sessions". Now sessions only saved to your given path.
© 2022 - 2024 — McMap. All rights reserved.