Bugtraq mailing list archives
Re: FW: PHP 4.x session spoofing
From: Gunzour <gunzour () yahoo com>
Date: Tue, 15 Jan 2002 05:17:12 -0800 (PST)
I reported this to bugs.php.net over a year ago (bug #8189) and more recently I wrote an article for a PHP website about the use of PHP sessions for authentication, although that article has not yet been published.
Since PHP4 there is a native support for sessions, which was derived from the PHPLib. But instead of using a SQL backend to store these IDs, they chose to store them as files in /tmp.
You can configure PHP to store sessions in an SQL database with session_set_save_handler. That will add to the complexity of your configuration, but will probably not make it any more secure. (How secure is your SQL backend?)
I suggest to create a directory called mkdir /tmp/php_sessions/
You're still in the /tmp directory, so there's still a potential for misuse. I could do "mv php_sessions php_sessions_old; mkdir php_sessions; echo 'juicy session data here' > php_sessions/sess_g35g5g54gg45wg85" and create my own sessions, assuming I know what data needs to be in the session file. This may protect you from casual shell users, but what about malicious PHP scripts, or other sites in a virtual hosting environment? __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/
Current thread:
- PHP 4.x session spoofing Daniel Lorch (Jan 14)
- <Possible follow-ups>
- Re: FW: PHP 4.x session spoofing Gunzour (Jan 15)