Page 1 of 1
Securing session files with shared hosting
Posted: Mon Jul 11, 2005 1:10 pm
by mu-ziq
I've looked into storing sessions in a DB. I understand the security risks involved in storing sessions in a public tmp directory on a shared server, however I decided that for my website that was a good enough solution(no sensitive information is stored in sessions). I still decided to protect my sessions by dropping a cookie with a randomly generated token onto a user's computer. This token is also recorded in a database on the server. This way if session files are compromised, one still needs to present the appropriate token to resume/continue the session which can only be found on user's PC or in the database.
My question is, does this method provide a safe alternative when DB sessions cannot be used or should I secure my session files further.
Thanks a lot for your help.
Posted: Tue Jul 12, 2005 12:38 pm
by anjanesh
This may not answer your question here but one point to note.
Session in database take less space (MySQL compression) and while files take exact number of bytes.
Posted: Tue Jul 12, 2005 1:09 pm
by timvw
client <-> server
cookie (a) <-> (c) db
session (b) <-> (d) file
I think if people can get (a) they should also be able to get (b). And vice versa.
With most shared hosting setups having access to (d) also implies you can get access to (c) because you can find the db credentials in the files/scripts...
PS: If mysql can compress the data before it dumps it somewhere on the filesystem, why wouldn't a different sessions manager be able to do it then?
Posted: Sun Jul 24, 2005 2:58 pm
by shiflett
If you are on a shared host where Apache uses the same userid for every virtual host (the most common setup), there are very few places to hide your session data except in a database, because you can't rely on filesystem security.
Be careful not to consider the use of a database as a complete solution. You are still faced with the challenge of keeping your database access credentials a secret. If these are in your source code, it is likely that they can also be read, eliminating the extra level of protection provided by the database.
I personally don't think there is a perfect solution, but the best approach I've seen so far is a method I first read in the PHP Cookbook by David Sklar and Adam Trachtenberg. I describe their approach at the end of this article:
http://shiflett.org/articles/security-corner-mar2004
Hope that helps.