Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
This article states that
If your site is run on a shared Web server, be aware that any session variables can easily be viewed by any other users on the same server.
On a larger host like GoDaddy, are there really no protections in place against this? Could it really be that easy? If it is that easy, where are the session vars of the other users on my host so I can check them out?
It is ridiculously easy because by default
php.ini#session.save_pathpoints to/tmpon Linux installs and similar for Windows. This is bad because most users have read and write privileges to/tmpbecause they need them. You can protect against this by storing your sesion state in the database or by changing were your PHP application stores it’s session files, usingsession_save_path