Page 1 of 1

session.save_path ideas may save the server industry

Posted: Sat Sep 06, 2008 10:45 am
by kervol
I have hardened my php to try and secure my servers; I have complaints on session.save_path issues now. I am using Linux and I want to set session.save_path tmp in each user’s cgi-bin/tmp folder the server will create when building an account. What can I use here session.save_path: "/home/needwildcardinfo/public_html/cgi-bin/tmp"

I need to know what to add in the wildcard area in place due to each account name being different to reference any user account. I do not want to use the php.ini in each account method.

Also, is there a way I can set a server wide cron to empty their cgi-bin/tmp folders weekly?

I am using the php configure in WHM

Any help appreciated...

Re: session.save_path ideas may save the server industry

Posted: Tue Sep 09, 2008 5:21 am
by josh
You can write a function for PHP to call on session save, from there put your logic into the PHP code, you can save the sessions to a database even.

Re: session.save_path ideas may save the server industry

Posted: Wed Sep 10, 2008 10:28 pm
by sidney
Is there a reason not to use a single directory, if not /tmp then create some special purpose one like /php-sessions? I see that my ISP does that, gives it world write permissions, and sets the t permissions bit so that all files created in that directory have permissions only for the userid of the file creator. I get the impression that is considered the common practice.

Re: session.save_path ideas may save the server industry

Posted: Wed Sep 10, 2008 10:40 pm
by josh
Not in my opinion but I'm sure someone could come up with a reason, like manually reading out the file and using unserialize() or some bad practice like that :roll:

Re: session.save_path ideas may save the server industry

Posted: Wed Sep 10, 2008 11:51 pm
by sidney
jshpro2 wrote:like manually reading out the file and using unserialize()
The idea of the t permission bit is that anyone can create a file in the directory and if they don't give world read permission nobody else can read the file and they can't mess with the directory itself to get around that. Without the t bit, anything in a world-writable directory is potentially accessible, even if the file creator sets the file permissions to try to prevent that.

Re: session.save_path ideas may save the server industry

Posted: Thu Sep 11, 2008 12:00 am
by josh
cool. sounds insecure.

Re: session.save_path ideas may save the server industry

Posted: Thu Sep 11, 2008 12:08 am
by sidney
jshpro2 wrote:cool. sounds insecure.
I don't get what you're saying there. What is insecure about that? Unless you are talking about a world-writable directory without the t bit being insecure, and yes, that's why the t-bit was thought up, to allow a secure way of using a world-writable tmp directory.

Re: session.save_path ideas may save the server industry

Posted: Thu Sep 11, 2008 4:31 am
by josh
No idea what a tbit is, but why do you need world writable session files?