How safe are session files?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Swede78
Forum Contributor
Posts: 198
Joined: Wed Mar 12, 2003 12:52 pm
Location: IL

How safe are session files?

Post by Swede78 »

I'm in the process of making a multi-part form, and I have a dilemma.

First, I tried using hidden fields from one page to the next and backwards too. It works ok. The problem comes if the user leaves the form pages and comes back. Then if they've already filled in some of the forms, they're entries aren't there anymore.

I can either say too bad, and make the user re-type everything in. Or I can save their entries in their session file. I've done this now and it works great. I'm just a bit concerned for the safety of this method. The sessions files don't get deleted immediately after ending the session. And there is sensitive data in the session files. If my session directory is not in the www tree, does that mean that nobody will be able to get to them?

Is this a bad solution? I've looked for other multi-part form solutions, and I've found some, but they're just too complicated. But, if someone has a simple solution for handling multi-part forms, where the user can go back-and-forth between form pages, please let me know.

Thank you!
User avatar
Stoker
Forum Regular
Posts: 782
Joined: Thu Jan 23, 2003 9:45 pm
Location: SWNY
Contact:

Post by Stoker »

If it is a shared-hosting server there are other users on the same machine and the session files are as secure as the permissions and ownership of the files.. if the webserver runs as "nobody" the session files are probably having the same user and pretty much any other user on that machine can read them.. Not a huge risk but way to high for stuff like SSN, financials and CC info..

There is a limit to how secure it can be on a shared server, it is not easy to make it more secure than your user on the machine is, run all the scripts suexec (usually as CGI), as your own user, and handle session storage/retrieval yourself.

It would be possible to use reversible encryption as well, over a SSL connection give the user a cookie with a random unique key that is for session data decryption, this way no-one can easily decrypt all session data, and ofcourse sign they key AND the data for integrity verification, even if someone did somehow steal someones cookie key and was able to find this session record, the hack would be limited to one record only..
Swede78
Forum Contributor
Posts: 198
Joined: Wed Mar 12, 2003 12:52 pm
Location: IL

Post by Swede78 »

Thanks Stoker,

Actually, I'm using a dedicated server. I used ASP originally, and am converting to PHP. So, I'm pretty new to PHP, but it's quite similar to ASP in many respects.

Anyway, this is temporary. I needed a dedicated server, just so I could have both ASP and PHP. I can't find a host that supports both. When I'm done converting everything to PHP, I plan to move it back to a shared server... save some $.

So, I guess it just might depend on my host's settings. If I decide to continue using a dedicated server, I take it that the files are pretty secure, unless someone at my host decides to hack them.


What about changing the garbage process settings in php.ini file? I think mine is set to delete session files when it accumulates 1000 of them. What if I change that to every 10? Does that bog down the system? Anyone know how this would affect things?

Thanks again.
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

Well if you changed it to 10, then I think it would cause problems if you have more than 10 users on-line at a time. That's probably a bad move for scalability.


If you're that worried about the session files then there are several solutions that I can think of:
1. use the mcrypt library to encode the saved data with a two-way cypher -- other users on a shared system would still be able to tell that the files exist, but couldn't snoop, you can also change the session save path to a directory you control, but outside of the web-tree. This directory would still have to be readable by the webserver/php user so its only "security through obscurity" which I don't advocate normally, but coupled with the encryption it should protect you from casual attackers.

2. change the session handler to use a database for storing session data -- session data is as save as any other information you store in a database
Swede78
Forum Contributor
Posts: 198
Joined: Wed Mar 12, 2003 12:52 pm
Location: IL

Post by Swede78 »

Thanks Nielsene,

That makes sense. I figured that the default settings were set at 1000 for a good reason.

As far as suggestion #2... I would prefer using the database, but I can't figure out how to remove old sessions. I could if everybody logged-out. But most people just close the browser. Then I'd have to manually remove old sessions. I could probably create a script that I run once a week to do this. But, I don't even want to have to do that. (I'm not lazy, just forgetful :))

I've never messed with encryption, ASP or PHP. It sounds like a good idea, but I have to do a lot of research just to figure out where to begin.

Either I'm going to use hidden fields only for the sensitive data, and session variables for the not-so-sensitive data. Or, I'll take a look at encryption for the sensitive data.

Thank you!
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

Well if you're in a *nix world you could always use a cron-job to handle the purging of sessions that are older than say 24 hours. I don't know the scheduling tool for windows, but I assume one exists.
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

session.cache_expire may come in handy - default in the php.ini is 3 hours. That way you would not have the complications of limiting your sessions.
Post Reply