WebApp Sec mailing list archives
Re: PHP session management
From: Boris Penck <boris () gamate com>
Date: Mon, 27 Oct 2003 18:12:37 +0100
Hi, I noticed on a server how PHP creates files in /tmp in the form sess_XXXXXXXXX to store session information (of course only readable by the apache user), but "XXXXXXXXX" is the actual session ID. If a person has a local access to a system using PHP's session management, aren't they able to hijack any session? Am I a complete moron and am missing something? And that aside, are there any other known problems with using PHP sessions (besides all the standard PHP security issues like variable access)?
Use CGI-PHP (with suexec) in a multi-user environment. With that configuration each user (and PHP) has it's own UID. Playing with chroot in suexec is a plus on security and your session files might be safe. Well, the performance .. it's working. -boris
Current thread:
- PHP session management Gavin Zuchlinski (Oct 26)
- Re: PHP session management Matt Rohrer (Oct 26)
- Re: PHP session management Tommy Gildseth (Oct 26)
- Re: PHP session management Gavin Zuchlinski (Oct 26)
- Re: PHP session management Hokkaido (Oct 27)
- Re: PHP session management Gavin Zuchlinski (Oct 27)
- Re: PHP session management Gavin Zuchlinski (Oct 26)
- Re: PHP session management Boris Penck (Oct 27)
- Re: PHP session management weigelt (Oct 28)
- Re: PHP session management Ivan Ristic (Oct 28)
- Re: PHP session management weigelt (Oct 28)
- <Possible follow-ups>
- RE: PHP session management Tyler Larson (Oct 27)