Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I would like to know why do you improve security to your sessions if you change session.save_path from the default /tmp to a real directory in your home directory before public_html?
Security:
If multiple applications write their sessions in the same directory, this can potentially allow a user to manipulate the content of its session, and bypass the security of an other application.
For example, if application A relies on
$_SESSION['is_admin']to be set to true for admin users, and application B allows the user to set$_SESSION['is_admin']to true, then the user can become admin on application A.Setting a
session.save_pathdifferent to each application avoids this problem.If you don’t control the other applications running on the same server, you should either store the sessions in a directory that’s not accessible by other application, or crypt the sessions so that other applications can’t read and modify them.
See this slide (starting at page 15).
The PHP suhosin patch / module can encrypt your session automatically.
Performance:
PHP has to periodically walk though all session in
session.save_pathin order to remove the expired sessions. Having too many session in this directory can degrade performance.If you have a different
session.save_pathper application, you have less session in each session directory.