Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Saving session data securely in PHP

Tags:

security

php

session

tmp

I was trying to understand how sessions work in PHP and found that session data is by default stored in the file system. In a shared hosting environment, session data can be read by PHP scripts written by any user. How can this be prevented ?

like image 626
Zacky112 Avatar asked Jul 14 '10 12:07

Zacky112

People also ask

Is PHP session data secure?

“Is a PHP session secure? PHP sessions are only as secure as your application makes them. PHP sessions will allow the client a pseudorandom string (“session ID”) for them to distinguish themselves with, but on the off chance that the string is intercepted by an attacker, the aggressor can imagine to be that client.

How can save session data in PHP?

Before you can store any information in session variables, you must first start up the session. To begin a new session, simply call the PHP session_start() function. It will create a new session and generate a unique session ID for the user.

How do I make my session ID secure?

The session ID is generated using the Random Number Generator (RNG) cryptographic provider. The service provider returns a sequence of 15 randomly generated numbers (15 bytes x 8 bit = 120 bits). The array of random numbers is then mapped to valid URL characters and returned as a string.

2 Answers

You can override the session save handler for your script to use something other than the filesystem, such as a database or memcache. Here is a detailed implementation: http://phpsec.org/projects/guide/5.html

like image 163
Mike Sherov Avatar answered Oct 15 '22 11:10

Mike Sherov

Depends on the level of access you have to the php.ini file - if you're on a Shared Hosting environment which runs suPHP and allows you to have your own php.ini file (for instance) then you can simply set the session.save_path to a path like ~/tmp instead of /tmp which is usually shared.

To begin with though, I don't think that you actually CAN read php session data from other applications. I believe it's something rather unique to the person viewing it.

Finally php Session data is not solely file system saved only. It can also be setup to save in a cookie on the user's machine or you can setup php session data to be stored in a database.

like image 22
Marco Ceppi Avatar answered Oct 15 '22 11:10

Marco Ceppi
Sign in to Comment

Related questions

PHP Constants: Advantages/Disadvantages
How do I automatically set a user's locale in PHP?
How to display youtube-like video player in website?
What is the best method for creating your own Wordpress loops?
how to run php script in eclipse
Use DLL in PHP?
Looping a PHP Script
How to deal with streaming data in PHP?
PDO - Working with table prefixes
Unexpected T_VARIABLE error
Method accessing protected property of another object of the same class
JSP equivalent to the PHP include() function?
Does the GD library use a lot of memory?
What is the best way to format messages for queueing?
PHP code comments parse speed
Git pre-receive hook to launch PHP CodeSniffer [closed]
How to document an existing small web site (web application), inside and out? [closed]
Searching by key in Apache CouchDB
modify a method/function at runtime
How to fetch account data from a provider with LightOpenID?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!