I have learned that if I share a server with another host (which I do, as I have a virtualhost), then all the hosts share the same $_SESSION is the same across all the hosts.
Does it meant that other hosts can access some of the variables that I store in the $_SESSION?
Check the value of the following:
echo ini_get('session.save_handler');
echo ini_get('session.save_path');
If your save_handler is files and your save_path is a common directory like /var/lib/php5 then you're likely sharing session storage with other users on the server. You're still protected by the nature of the session hash id, but if you have sensitive information you might want to make a change. You could either change the save_handler to something like sqlite and provide your own local database file, or simply change save_path to a directory that's owned by you and has minimal permissions. You can change save_path in a .htaccess file:
php_value session.save_path = '/path/to/my/session/directory'
Or in your PHP source:
ini_set('session.save_path', '/path/to/my/session/directory');
Edit: Realistically though, if you have information sensitive enough to warrant this change, then you should be using a VPS and not a shared server.
Does it meant that other hosts can access some of the variables that I store in the $_SESSION?
I would say yes if the session id is the same and if using default configuration for sessions. In regards the session id being large, the chances of hijacking are pretty low, but then again anything is possible, even when using a single virtual host. It all depends on your particular circumstances.
But for all practical purposes I will dare to say you will be ok.
Good luck!
Related
I've seen this many times, especially when inspecting (older) browsergame scripts, storing they user sessions in e.g. /project/sessions or /project/tmp. Is there any valid reason not to use the default session save path?
From manual:
Warning
If you leave this set to a world-readable directory, such as /tmp (the
default), other users on the server may be able to hijack sessions by
getting the list of files in that directory.
Also usually the default temporary directory get cleaned on reboot and session data may be lost.
Have a questions, looking for an expert opinion
If a website is registered with a hosting company over a shared platform, then could that website's session variables be hacked by others working on the same shared platform?
Thank You.
I'd say shared hosts are less secure in that regard, as I've personally seen several shared hosts where everybody could view the temp folder where session files are stored. As php default dictates, file names equal session ID, meaning I could from there easily go to the corresponding site, put in the file name into a cookie, and thus hijack the session.
As mentioned in other answers and comments, competent hosts may avoid this through proper administration and sandboxing. Investigate yours.
There's also alternative session storage methods, such as through database. One could also regenerate the session ID often, to decrease the window for any potential hijack. Take a look at http://php.net/manual/en/session.security.php and http://php.net/manual/en/class.sessionhandler.php for some more details.
All that said, you're still better off avoiding sensitive data in session variables altogether.
At first you should ask yourself: Who do you trust? Sessions exist (besides sharing data between requests) to enable the developer to store and controll data outside the users reach. This was the problem and this is solved by sessions.
If you are in a shared environment it is possible for other processes and users to access your stored information and change it, but - and that's a big one - it is also possible for them to access your database and your code. So there is nothing to really help you in the case of evil attackers from within your system.
The only thing that will help is competent administration. In shared environments it is crucial to sandbox each application running on the server. They have to set session_save_path on a per user base, just as they should do with everything else.
I have a client that is own a shared host the uses php sessions. The session save path is /tmp by default. They are having random logouts.
Could this be caused by any/all of these?
Garbage collection by other user on the server?
Someone clearing out /tmp files (User or cron). This seems unlikely as the host I am using is pretty well known
I can change the session save path to a folder under their control. Do you think this would be the best solution? I know shared hosts sessions are insecure as anyone can read them (and I think even write to them via nobody/apache user)
Since the default /tmp is usually open to all accounts in a shared host it's generally advised to use session.save_path and set a different location.
Is it assumed that a better location is in /home/username/example_session_tmp/ as long as it's not in /home/username/public_html/?
If so, wouldn't that still be vulnerable in case a hacker were able to inject a script in public_html and read ../example_session_tmp/? Or is it the only way and it's generally assumed your site is secured from script injections?
Note: Database session handler is an alternative option but let's assume it's not possible.
If a hacker gets a script into your site, there isn't a lot you can do to stop him from snagging sessions. If your webserver has access to the sessions then that user will. No matter where you stick it the hacker can find with with a simple call to session_save_path.
To sum up:
Prevent hackers from getting access. Who cares about sessions if your server is wide open? Secure this first.
Setting the save_path to ~/sessions should prevent other shared hosting users tampering with your sessions. This does not prevent someone who gains access to your webserver from seeing and tampering with sessions.
I agree with you for putting in /home/username/example_session_tmp/.
But,
If you have only one site per server, you don't need to change the path
If you want to make shared hosting your solution, moving to a new path is a good idea (you can check for apache-mpm-itk or php5-fpm)
If you want to have multiple servers, the easiest way is to put the session in the database, or create a shared folder (nfs, samba) for the sessions files.
I read this post where the author advices to store session files in a different location on our application since sessions in /tmp/ are not safe. Is this a best practice that everyone follows? How safe does putting session files into other location will make any difference?
Need your valuable advice on this.
Thank You.
The problem is only that if you're on a shared host, the /tmp directory is typically shared by everybody, so other users will at least be able to list all files in the /tmp directory. They don't typically have access to those files, but just being able to see them may already be quite a security risk. Therefore it's better to store your temporary data elsewhere where only you have access.
This is not really of any concern if you are the master of your own server.