Re: FW: PHP 4.x session spoofing

[Gunzour <gunzour () yahoo com>]

I reported this to bugs.php.net over a year ago (bug
#8189) and more recently I wrote an article for a PHP
website about the use of PHP sessions for
authentication, although that article has not yet been
published.

> Since PHP4 there is a native support for sessions,
> which was derived
> from the PHPLib. But instead of using a SQL backend
> to store these
> IDs, they chose to store them as files in /tmp.

You can configure PHP to store sessions in an SQL
database with session_set_save_handler.  That will add
to the complexity of your configuration, but will
probably not make it any more secure.  (How secure is
your SQL backend?)

> I suggest to create a directory called
>
>   mkdir /tmp/php_sessions/

You're still in the /tmp directory, so there's still a
potential for misuse.  I could do "mv php_sessions
php_sessions_old; mkdir php_sessions; echo 'juicy
session data here' >
php_sessions/sess_g35g5g54gg45wg85" and create my own
sessions, assuming I know what data needs to be in the
session file.  

This may protect you from casual shell users, but what
about malicious PHP scripts, or other sites in a
virtual hosting environment?



__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/