Page 1 of 1

is Session not recommendable? or shouldnot be used?

Posted: Sun Sep 17, 2006 12:37 pm
by rami
i read some security tutorials in books,sites
all of them tend to say dont use session to secure things
even some site used things like "never use session"

should that session never be used for authetication or means of maintaing users profiles ,logins and all

is session that vunerable?
is mostly start session on successful log in and check it in subseqent pages
is it venerable to attatcks?
mostly they say in shared host it will much vunerable
then what it use for security?
many people tend to disable cookies

is session not recommeded for use?

Posted: Sun Sep 17, 2006 12:49 pm
by feyd
Written correctly they are fine for many things. Blindly accepting data they contain as authoritative can be insecure depending on a number of circumstances.

On a general level, they are perfectly fine.

Posted: Sun Sep 17, 2006 1:15 pm
by rami
feyd wrote:Written correctly they are fine for many things. Blindly accepting data they contain as authoritative can be insecure depending on a number of circumstances.

On a general level, they are perfectly fine.
is there any such example where session has been used fine or may be flawlessly..
i am just trying check what mistakes i am making
for now as i saw starting session on login and checking that session..

Posted: Sun Sep 17, 2006 1:20 pm
by feyd
Depending on settings, sessions are vulnerable mostly due to the file system being compromized. Where PHP is run as a module and the web server is run under a common (across accounts) user, sessions may be altered by other users. If their storage location is mishandled, they can be compromized.

Basically, if you need something secure in relation to sessions or your files, use dedicated hosting with active monitoring.

Posted: Tue Sep 19, 2006 2:32 am
by rami
feyd wrote:Depending on settings, sessions are vulnerable mostly due to the file system being compromized. Where PHP is run as a module and the web server is run under a common (across accounts) user, sessions may be altered by other users. If their storage location is mishandled, they can be compromized.

Basically, if you need something secure in relation to sessions or your files, use dedicated hosting with active monitoring.
thats ok
but we need to think of all circumstance
most people host site in shared host...in commercial enviromentmost people need some small space .
so in commercail environment,we cannot say we will only program for dedicated host.

from you comments i came to conclusion that session in the shared host are vunerable .So what other techiques can we use in shared host...?
thanks for comments

Posted: Tue Sep 19, 2006 4:59 am
by volka
There are vservers, sudo based cgi solutions and there should have been mpm_perchild_module

Posted: Sat Sep 23, 2006 5:53 pm
by shiflett
rami wrote:So what other techiques can we use in shared host?
You might find this article informative:

http://shiflett.org/articles/security-corner-mar2004

It has some suggestions for making the most of a shared host. In your case, you probably want to keep your session data in a database:

http://phpsecurity.org/code/ch08-2

Otherwise, there's a lot that other users on the same host can do:

http://phpsecurity.org/code/ch08-1
http://phpsecurity.org/code/ch08-3
http://phpsecurity.org/code/ch08-4
http://phpsecurity.org/code/ch08-5

Hope that helps.

Posted: Sat Sep 23, 2006 8:37 pm
by AKA Panama Jack
The only real security issue is with shared hosts that have been setup improperly and place all session files in the SAME directory for each account. This means there is the REMOTE possibility another site on the same shared server could grab the session data and decode it.

If the shared host is properly setup then each site will have it's own session data directory thereby negating the possible security problem.

The other thing you can do is use a database table for storing all session data or create your OWN PRIVATE session directory. You can still use all of the PHP session commands but everything will go through YOUR session handler instead of the default one. This would bypass any potential security problems.

Posted: Sat Sep 23, 2006 8:40 pm
by Luke
Wouldn't session_save_path() prevent this problem as well... save the session data in your own directory... ?

Posted: Sat Sep 23, 2006 8:52 pm
by shiflett
Changing the directory where PHP saves session data to something unusual doesn't prevent other people from reading it.

Posted: Sun Sep 24, 2006 12:42 pm
by Luke
couldn't you change it to a directory other users on your host don't have any access to?

Posted: Sun Sep 24, 2006 12:51 pm
by shiflett
The Ninja Space Goat wrote:couldn't you change it to a directory other users on your host don't have any access to?
Sure, but they can write PHP scripts to read your session data, and their PHP scripts are executed by Apache.

You can play around with these scripts to see what I mean:

http://phpsecurity.org/code/ch08-1
http://phpsecurity.org/code/ch08-3
http://phpsecurity.org/code/ch08-4
http://phpsecurity.org/code/ch08-5

Hope that helps.

Posted: Sun Sep 24, 2006 1:24 pm
by Luke
OK, I see what you mean... thanks shiflett