SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Zealot
    Join Date
    May 2004
    Posts
    142
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question Securing sessions on shared server

    Hey everyone,

    My website uses sessions for the usual malarkey - user logins, etc.

    I'm on a shared server, with sessions saved in '/tmp'. I've been told that this is prone to sessions hijacking, since the whole server's session files are stored in that directory, not each domain/subdomain having its own '/tmp' directory. (The server's using Red Hat)

    If they're vulnerable in here, what's the best course of action to take? I can't create directories outside my webroot (except in cgi/bin) so a custom directory is out of the question (again, unless I can use cgi/bin? doesn't seem a good idea).

    I'm thinking then, of a database/cookies solution, storing a 'session' cookie on the user's computer with the value of a hashed session id, which then points to the appropriate row in a 'sessions' table in the database. Can anyone point me in the direction of a suitable session database class, incidentally?

    Could anyone advise me on this? What do you gurus do about session handling (please don't say "buy a dedicated server" because I can't! ) I've been using the /tmp dir for nearly two years now without any problems, but have only just got round to think seriously about session security.

    Thanks for any help!
    Alex ...

  2. #2
    Umm. PHP Guru....Naaaah jaswinder_rana's Avatar
    Join Date
    Jul 2004
    Location
    canada
    Posts
    3,193
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    well, you can use a different directory to store sessions which only you have access to with session_save_path(). BUT, as you mentioned you cannot create directory outside of webroot (which i can understand as my host does the same thing), then i would sure suggest you use database. i haven't used any session classes but until somebody tells you go on the following websites and try to find some.

    1) www.hotscripts.com
    2) www.phpclasses.org

  3. #3
    SitePoint Addict
    Join Date
    Oct 2004
    Location
    Brooklyn, NY
    Posts
    359
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I wrote an article that addresses this particular issue:

    http://shiflett.org/articles/security-corner-mar2004

    Hope that helps.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •