I was trying to understand how sessions work in PHP and found that session data is by default stored in the file system. In a shared hosting environment, session data can be read by PHP scripts written by any user. How can this be prevented ?
“Is a PHP session secure? PHP sessions are only as secure as your application makes them. PHP sessions will allow the client a pseudorandom string (“session ID”) for them to distinguish themselves with, but on the off chance that the string is intercepted by an attacker, the aggressor can imagine to be that client.
Before you can store any information in session variables, you must first start up the session. To begin a new session, simply call the PHP session_start() function. It will create a new session and generate a unique session ID for the user.
The session ID is generated using the Random Number Generator (RNG) cryptographic provider. The service provider returns a sequence of 15 randomly generated numbers (15 bytes x 8 bit = 120 bits). The array of random numbers is then mapped to valid URL characters and returned as a string.
You can override the session save handler for your script to use something other than the filesystem, such as a database or memcache. Here is a detailed implementation: http://phpsec.org/projects/guide/5.html
Depends on the level of access you have to the php.ini file - if you're on a Shared Hosting environment which runs suPHP and allows you to have your own php.ini file (for instance) then you can simply set the session.save_path to a path like ~/tmp instead of /tmp which is usually shared.
To begin with though, I don't think that you actually CAN read php session data from other applications. I believe it's something rather unique to the person viewing it.
Finally php Session data is not solely file system saved only. It can also be setup to save in a cookie on the user's machine or you can setup php session data to be stored in a database.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With