ID: 28242
Comment by: schlueter at phpbar dot de
Reported By: php at ter dot dk
Status: Bogus
Bug Type: Session related
Operating System: Linux
PHP Version: 4.3.6
New Comment:
PHP does neither know something about different sites nor
where to write sessions except from /tmp so the provider
has to tell it.
Most providers I know set the session.save_path per user
in the Apache configuration and I don't see any reason to
change this. If one provider doesn't do this it's not the
fault of PHP but with the provider who isn't interested in
security.
Previous Comments:
------------------------------------------------------------------------
[2004-05-01 16:54:51] php at ter dot dk
Please notice that not any single PHP-user in the world has access to
the Apache-configuration as well. That's the whole point:
This issue is relevant for customers at web providers. These customers
should be pretty restricted. safe_mode is also advertised as a method
of isolating users from each other, but that isn't enough here.
Furthermore, suggesting that every virtual host in the world where the
user has access to php should have a custom php-configuration - that's
just simply not going to happen.
It isn't a problem for those who host a website on their own server.
But it is a problem for everybody else.
I haven't heard a single good argument for why increased security
shouldn't be enabled per default, instead of allowing sites to access
other sites' session data.
Allowing sites to access each other's data should be the exception, not
the rule.
- Peter Brodersen
------------------------------------------------------------------------
[2004-05-01 15:56:35] schlueter at phpbar dot de
There's no need to change the scripts. Just set the
save_path in your Apache configuration for every vhost -
where should PHP know a "good" location from?
------------------------------------------------------------------------
[2004-05-01 15:53:30] php at ter dot dk
Err, make that session.save_path (and not sessions.save_handler).
Besides, where is that recommendation?
------------------------------------------------------------------------
[2004-05-01 15:42:01] php at ter dot dk
Is there a reason for this not being default?
It might be a political desicion to create such a change in the
PHP-setup. But isn't it better to add this security in the first place
instead of requiring all scripts ever made to alter
sessions.save_handler ?
Think about it - all scripts ever distributed would have to be altered,
and no scripts downloaded would be ready to run as-is.
- Peter Brodersen
------------------------------------------------------------------------
[2004-05-01 15:17:02] [EMAIL PROTECTED]
This is not a bug as it's perfectly possible and recommended to set up
a special session "tmp" directory for each client/vhost/whatever.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/28242
--
Edit this bug report at http://bugs.php.net/?id=28242&edit=1
