Session files

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Session files

Post by Luke »

I just read a tutorial that explains how to change the path that session information is saved in... now when I change the path, and open that directory via the url bar, I get an index listing all session files, and when I open any of those files, I can see exactly what is in that session. Isn't that a MAJOR security issue? How can this be fixed??
Ree
Forum Regular
Posts: 592
Joined: Fri Jun 10, 2005 1:43 am
Location: LT

Post by Ree »

PHP session data dir should not be accessible to anyone through the net. It shouldn't be in root directory, why would you want it there?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

place an .htaccess file in the directory with a deny from all setting in it.. ;) (assuming you are using Apache)
Post Reply