Securing session files with shared hosting

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
mu-ziq
Forum Newbie
Posts: 11
Joined: Fri Jul 08, 2005 9:42 pm

Securing session files with shared hosting

Post by mu-ziq »

I've looked into storing sessions in a DB. I understand the security risks involved in storing sessions in a public tmp directory on a shared server, however I decided that for my website that was a good enough solution(no sensitive information is stored in sessions). I still decided to protect my sessions by dropping a cookie with a randomly generated token onto a user's computer. This token is also recorded in a database on the server. This way if session files are compromised, one still needs to present the appropriate token to resume/continue the session which can only be found on user's PC or in the database.

My question is, does this method provide a safe alternative when DB sessions cannot be used or should I secure my session files further.

Thanks a lot for your help.
User avatar
anjanesh
DevNet Resident
Posts: 1679
Joined: Sat Dec 06, 2003 9:52 pm
Location: Mumbai, India

Post by anjanesh »

This may not answer your question here but one point to note.
Session in database take less space (MySQL compression) and while files take exact number of bytes.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

client <-> server
cookie (a) <-> (c) db
session (b) <-> (d) file

I think if people can get (a) they should also be able to get (b). And vice versa.

With most shared hosting setups having access to (d) also implies you can get access to (c) because you can find the db credentials in the files/scripts...




PS: If mysql can compress the data before it dumps it somewhere on the filesystem, why wouldn't a different sessions manager be able to do it then?
User avatar
shiflett
Forum Contributor
Posts: 124
Joined: Sun Feb 06, 2005 11:22 am

Post by shiflett »

If you are on a shared host where Apache uses the same userid for every virtual host (the most common setup), there are very few places to hide your session data except in a database, because you can't rely on filesystem security.

Be careful not to consider the use of a database as a complete solution. You are still faced with the challenge of keeping your database access credentials a secret. If these are in your source code, it is likely that they can also be read, eliminating the extra level of protection provided by the database.

I personally don't think there is a perfect solution, but the best approach I've seen so far is a method I first read in the PHP Cookbook by David Sklar and Adam Trachtenberg. I describe their approach at the end of this article:

http://shiflett.org/articles/security-corner-mar2004

Hope that helps.
Post Reply