is Session not recommendable? or shouldnot be used?
Moderator: General Moderators
is Session not recommendable? or shouldnot be used?
i read some security tutorials in books,sites
all of them tend to say dont use session to secure things
even some site used things like "never use session"
should that session never be used for authetication or means of maintaing users profiles ,logins and all
is session that vunerable?
is mostly start session on successful log in and check it in subseqent pages
is it venerable to attatcks?
mostly they say in shared host it will much vunerable
then what it use for security?
many people tend to disable cookies
is session not recommeded for use?
all of them tend to say dont use session to secure things
even some site used things like "never use session"
should that session never be used for authetication or means of maintaing users profiles ,logins and all
is session that vunerable?
is mostly start session on successful log in and check it in subseqent pages
is it venerable to attatcks?
mostly they say in shared host it will much vunerable
then what it use for security?
many people tend to disable cookies
is session not recommeded for use?
is there any such example where session has been used fine or may be flawlessly..feyd wrote:Written correctly they are fine for many things. Blindly accepting data they contain as authoritative can be insecure depending on a number of circumstances.
On a general level, they are perfectly fine.
i am just trying check what mistakes i am making
for now as i saw starting session on login and checking that session..
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
Depending on settings, sessions are vulnerable mostly due to the file system being compromized. Where PHP is run as a module and the web server is run under a common (across accounts) user, sessions may be altered by other users. If their storage location is mishandled, they can be compromized.
Basically, if you need something secure in relation to sessions or your files, use dedicated hosting with active monitoring.
Basically, if you need something secure in relation to sessions or your files, use dedicated hosting with active monitoring.
thats okfeyd wrote:Depending on settings, sessions are vulnerable mostly due to the file system being compromized. Where PHP is run as a module and the web server is run under a common (across accounts) user, sessions may be altered by other users. If their storage location is mishandled, they can be compromized.
Basically, if you need something secure in relation to sessions or your files, use dedicated hosting with active monitoring.
but we need to think of all circumstance
most people host site in shared host...in commercial enviromentmost people need some small space .
so in commercail environment,we cannot say we will only program for dedicated host.
from you comments i came to conclusion that session in the shared host are vunerable .So what other techiques can we use in shared host...?
thanks for comments
There are vservers, sudo based cgi solutions and there should have been mpm_perchild_module
You might find this article informative:rami wrote:So what other techiques can we use in shared host?
http://shiflett.org/articles/security-corner-mar2004
It has some suggestions for making the most of a shared host. In your case, you probably want to keep your session data in a database:
http://phpsecurity.org/code/ch08-2
Otherwise, there's a lot that other users on the same host can do:
http://phpsecurity.org/code/ch08-1
http://phpsecurity.org/code/ch08-3
http://phpsecurity.org/code/ch08-4
http://phpsecurity.org/code/ch08-5
Hope that helps.
- AKA Panama Jack
- Forum Regular
- Posts: 878
- Joined: Mon Nov 14, 2005 4:21 pm
The only real security issue is with shared hosts that have been setup improperly and place all session files in the SAME directory for each account. This means there is the REMOTE possibility another site on the same shared server could grab the session data and decode it.
If the shared host is properly setup then each site will have it's own session data directory thereby negating the possible security problem.
The other thing you can do is use a database table for storing all session data or create your OWN PRIVATE session directory. You can still use all of the PHP session commands but everything will go through YOUR session handler instead of the default one. This would bypass any potential security problems.
If the shared host is properly setup then each site will have it's own session data directory thereby negating the possible security problem.
The other thing you can do is use a database table for storing all session data or create your OWN PRIVATE session directory. You can still use all of the PHP session commands but everything will go through YOUR session handler instead of the default one. This would bypass any potential security problems.
Wouldn't session_save_path() prevent this problem as well... save the session data in your own directory... ?
Sure, but they can write PHP scripts to read your session data, and their PHP scripts are executed by Apache.The Ninja Space Goat wrote:couldn't you change it to a directory other users on your host don't have any access to?
You can play around with these scripts to see what I mean:
http://phpsecurity.org/code/ch08-1
http://phpsecurity.org/code/ch08-3
http://phpsecurity.org/code/ch08-4
http://phpsecurity.org/code/ch08-5
Hope that helps.