[ciapug] Securing session variables
Lathrop Preston
ciapug@cialug.org
Tue, 18 Nov 2003 12:06:14 -0600
David Champion wrote:
> Lathrop Preston wrote:
>
>> Unless someone gets access to the server and places a file to read out
>> the session contents (at which point session/no-session is not an
>> issue any more)
>>
>> there really is no way for someone un-authorized to access session
>> contents.
>
>
> This could be an issue on a multi-user / multi-use server. On the system
> I checked (Mandrake 9.1) PHP's defaults are set to write the session
> data to /tmp and make it rw for only the "apache" user.
>
> If those were to be readable by other users, they could dig thru the
> session data and try to find useful data, like usernames and passwords.
>
> IMHO you should never store sensitive data in sessions or cookies. If
> you have to, at least make a hash or something besides plain text.
>
> -dc
True, however you can set different overall session control names for
each site in a shared server situation.
then each site has its own session pool and can't see the others.
I can't remember how you do it I just know you can.
I doubt that the medial data situation that generated this thread is
going to be a shared server (at least not one where any of the sharing
users are un-trusted)
once you have a shared situation you are in an entirely different
situation regarding data security.
Lathrop