Understanding session save path as no value and security
Solution 1
The default value for the session.save_path setting is "" (empty string), which defaults to /tmp.
From a "working" standpoint, there is no need to worry that it's set to no value (as that's the default); however, from a security standpoint there is.
Warning from the manual:
If you leave this set to a world-readable directory, such as /tmp (the default), other users on the server may be able to hijack sessions by getting the list of files in that directory.
Solution 2
you can set save_path by create/edit .htaccess by this codes:
php_value session.save_path /mnt/stor1-wc1-dfw1/123456/www.domain.com/web/sessions
php_value session.save_handler files
for more details visit this site:PHP Sessions State Servers on Cloud Sites And How To Fix Non Working PHP Sessions
thank_you
Updated on June 26, 2022Comments
-
thank_you about 2 years
I only use sessions to store variables and was hoping to ensure that the session save path could not be tampered with by any of the users. So I went to check my phpinfo and found that the session save path was set to no value. Is this normal for users who only use sessions for variables? Do I have anything to worry about if the sessions save path is set to no value?
-
thank_you over 11 yearsSo then I should set the session save path to an obscure file name and that will solve the security issue?
-
Mahn over 11 yearsNotice that it says other users on the server, that is, other users with server access. If you don't explicitly give your users server access there is not much to worry about from a security stand point because the default
tmpfolder is not publically reachable via http requests. -
newfurniturey over 11 years@Mahn Correct - except any user that can, for any reason, gain access to execute PHP will have access to the
/tmpfolder as well. This could be a fellow web-developer, or someone malicious who found a hole. Turning a blind eye because it seems too hard to worry about is hardly a good security standard. -
Mahn over 11 years@newfurniturey I think you would have bigger problems to worry about if any user for any reason could gain access to execute PHP on your machine.
-
newfurniturey over 11 years@jason328 Obscurity is not entirely necessary, but definitely somewhere outside of the
/tmpfolder (or, at least make it a sub-folder such as/tmp/sessions/and to make the directory only readable by one user). The key is to set a custom save-path for every application you're running. -
newfurniturey over 11 years@Mahn Quite true, but the ability to stealth-fully hijack a session on an e-commerce website would be far more appealing than using the server in a botnet (among other misc. things). This conversation branch could go on for days, but in the end - security is security and you shouldn't brush things under the carpet.
-
thank_you over 11 yearsSo create the folder then set session save path php function before session start...
-
newfurniturey over 11 years@jason328 Correct. If you have multiple websites running, perhaps try creating the directory inside each specific website (like
/home/example.com/session) and have an include in the header of every page that uses the sessions that callssession_save_path('/home/example.com/session');. Doing this should also keep file/folder permissions manageable. -
dhaupin almost 9 years@newfurniturey Old post, but just a thought: Certain systems such as Cloudlinux "jail" the /tmp for you already under each account, so no
session_save_pathmitigations are needed "in-app". Example location:/home/someaccount/.cagefs/tmp/
