Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am trying to better understand suPHP.
I have obviously found the suPHP documentation on google, and have found the generic answers for what it is and does, but I am confused on how it can help with session security and preventing session hijacking.
If anyone could clarify this for me, I’d be grateful. Google isn’t yielding any good results!
suphpisolates PHP processes on shared hosting. It allows to run scripts on each virtual host under a different user account.Which aids security by making the session store inaccessible to shared accounts on the same server. Occasionally a world-readable directory (see
session_save_path) might be used by PHPs session handler to store the serialized$_SESSIONblob. (For example/tmp/session/which is a subpar configuration to begin with). With suphp this is constrained.However this doesn’t help with session hijacking it all, as that originates from HTTP packet sniffing, or cross-site scripting exploits. Local access or just reading out the session store directory is a possible vector for session replay attacks, but a seldom one.