is Session not recommendable? or shouldnot be used?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
rami
Forum Contributor
Posts: 217
Joined: Thu Sep 15, 2005 8:55 am

is Session not recommendable? or shouldnot be used?

Post by rami »

i read some security tutorials in books,sites
all of them tend to say dont use session to secure things
even some site used things like "never use session"

should that session never be used for authetication or means of maintaing users profiles ,logins and all

is session that vunerable?
is mostly start session on successful log in and check it in subseqent pages
is it venerable to attatcks?
mostly they say in shared host it will much vunerable
then what it use for security?
many people tend to disable cookies

is session not recommeded for use?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Written correctly they are fine for many things. Blindly accepting data they contain as authoritative can be insecure depending on a number of circumstances.

On a general level, they are perfectly fine.
rami
Forum Contributor
Posts: 217
Joined: Thu Sep 15, 2005 8:55 am

Post by rami »

feyd wrote:Written correctly they are fine for many things. Blindly accepting data they contain as authoritative can be insecure depending on a number of circumstances.

On a general level, they are perfectly fine.
is there any such example where session has been used fine or may be flawlessly..
i am just trying check what mistakes i am making
for now as i saw starting session on login and checking that session..
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Depending on settings, sessions are vulnerable mostly due to the file system being compromized. Where PHP is run as a module and the web server is run under a common (across accounts) user, sessions may be altered by other users. If their storage location is mishandled, they can be compromized.

Basically, if you need something secure in relation to sessions or your files, use dedicated hosting with active monitoring.
rami
Forum Contributor
Posts: 217
Joined: Thu Sep 15, 2005 8:55 am

Post by rami »

feyd wrote:Depending on settings, sessions are vulnerable mostly due to the file system being compromized. Where PHP is run as a module and the web server is run under a common (across accounts) user, sessions may be altered by other users. If their storage location is mishandled, they can be compromized.

Basically, if you need something secure in relation to sessions or your files, use dedicated hosting with active monitoring.
thats ok
but we need to think of all circumstance
most people host site in shared host...in commercial enviromentmost people need some small space .
so in commercail environment,we cannot say we will only program for dedicated host.

from you comments i came to conclusion that session in the shared host are vunerable .So what other techiques can we use in shared host...?
thanks for comments
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

There are vservers, sudo based cgi solutions and there should have been mpm_perchild_module
User avatar
shiflett
Forum Contributor
Posts: 124
Joined: Sun Feb 06, 2005 11:22 am

Post by shiflett »

rami wrote:So what other techiques can we use in shared host?
You might find this article informative:

http://shiflett.org/articles/security-corner-mar2004

It has some suggestions for making the most of a shared host. In your case, you probably want to keep your session data in a database:

http://phpsecurity.org/code/ch08-2

Otherwise, there's a lot that other users on the same host can do:

http://phpsecurity.org/code/ch08-1
http://phpsecurity.org/code/ch08-3
http://phpsecurity.org/code/ch08-4
http://phpsecurity.org/code/ch08-5

Hope that helps.
User avatar
AKA Panama Jack
Forum Regular
Posts: 878
Joined: Mon Nov 14, 2005 4:21 pm

Post by AKA Panama Jack »

The only real security issue is with shared hosts that have been setup improperly and place all session files in the SAME directory for each account. This means there is the REMOTE possibility another site on the same shared server could grab the session data and decode it.

If the shared host is properly setup then each site will have it's own session data directory thereby negating the possible security problem.

The other thing you can do is use a database table for storing all session data or create your OWN PRIVATE session directory. You can still use all of the PHP session commands but everything will go through YOUR session handler instead of the default one. This would bypass any potential security problems.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

Wouldn't session_save_path() prevent this problem as well... save the session data in your own directory... ?
User avatar
shiflett
Forum Contributor
Posts: 124
Joined: Sun Feb 06, 2005 11:22 am

Post by shiflett »

Changing the directory where PHP saves session data to something unusual doesn't prevent other people from reading it.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

couldn't you change it to a directory other users on your host don't have any access to?
User avatar
shiflett
Forum Contributor
Posts: 124
Joined: Sun Feb 06, 2005 11:22 am

Post by shiflett »

The Ninja Space Goat wrote:couldn't you change it to a directory other users on your host don't have any access to?
Sure, but they can write PHP scripts to read your session data, and their PHP scripts are executed by Apache.

You can play around with these scripts to see what I mean:

http://phpsecurity.org/code/ch08-1
http://phpsecurity.org/code/ch08-3
http://phpsecurity.org/code/ch08-4
http://phpsecurity.org/code/ch08-5

Hope that helps.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

OK, I see what you mean... thanks shiflett
Post Reply