ID: 8189 Updated by: jimw Reported By: [EMAIL PROTECTED] Old-Status: Open Status: Closed Bug Type: Documentation problem Assigned To: Comments: added a warning. Previous Comments: --------------------------------------------------------------------------- [2000-12-09 23:37:32] [EMAIL PROTECTED] By default, session files are stored in /tmp by default, unless changed by sessions.save_path. Although the session files are not world-readable, the directory itself is, and any user on the system can get a list of sessionids by just looking at the filenames. If sessions are being used to track logins, a malicious user could hijack another person's login by copying his session-id into a URI. This could present a serious security risk depending on the application's use of sessions. The simplest protection is to set sessions.save_path to a directory owned by the user PHP runs under, and chmod 700 that directory. This prevents easy viewing of existing session IDs. --------------------------------------------------------------------------- Full Bug description available at: http://bugs.php.net/?id=8189 -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
