session.save_path ideas may save the server industry

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
kervol
Forum Newbie
Posts: 1
Joined: Sat Sep 06, 2008 10:36 am

session.save_path ideas may save the server industry

Post by kervol »

I have hardened my php to try and secure my servers; I have complaints on session.save_path issues now. I am using Linux and I want to set session.save_path tmp in each user’s cgi-bin/tmp folder the server will create when building an account. What can I use here session.save_path: "/home/needwildcardinfo/public_html/cgi-bin/tmp"

I need to know what to add in the wildcard area in place due to each account name being different to reference any user account. I do not want to use the php.ini in each account method.

Also, is there a way I can set a server wide cron to empty their cgi-bin/tmp folders weekly?

I am using the php configure in WHM

Any help appreciated...
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: session.save_path ideas may save the server industry

Post by josh »

You can write a function for PHP to call on session save, from there put your logic into the PHP code, you can save the sessions to a database even.
sidney
Forum Newbie
Posts: 3
Joined: Wed Sep 10, 2008 10:19 pm

Re: session.save_path ideas may save the server industry

Post by sidney »

Is there a reason not to use a single directory, if not /tmp then create some special purpose one like /php-sessions? I see that my ISP does that, gives it world write permissions, and sets the t permissions bit so that all files created in that directory have permissions only for the userid of the file creator. I get the impression that is considered the common practice.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: session.save_path ideas may save the server industry

Post by josh »

Not in my opinion but I'm sure someone could come up with a reason, like manually reading out the file and using unserialize() or some bad practice like that :roll:
sidney
Forum Newbie
Posts: 3
Joined: Wed Sep 10, 2008 10:19 pm

Re: session.save_path ideas may save the server industry

Post by sidney »

jshpro2 wrote:like manually reading out the file and using unserialize()
The idea of the t permission bit is that anyone can create a file in the directory and if they don't give world read permission nobody else can read the file and they can't mess with the directory itself to get around that. Without the t bit, anything in a world-writable directory is potentially accessible, even if the file creator sets the file permissions to try to prevent that.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: session.save_path ideas may save the server industry

Post by josh »

cool. sounds insecure.
sidney
Forum Newbie
Posts: 3
Joined: Wed Sep 10, 2008 10:19 pm

Re: session.save_path ideas may save the server industry

Post by sidney »

jshpro2 wrote:cool. sounds insecure.
I don't get what you're saying there. What is insecure about that? Unless you are talking about a world-writable directory without the t bit being insecure, and yes, that's why the t-bit was thought up, to allow a secure way of using a world-writable tmp directory.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: session.save_path ideas may save the server industry

Post by josh »

No idea what a tbit is, but why do you need world writable session files?
Post Reply