[PROBLEM] Sessions can easily be taken over by other, malicious users. All you need is the session-id and you're done. User who have read-access to the directory where PHP stores it's session-data, can read the ids directly from the filenames. I don't think many administrators are aware of the security risks involved in storing sessions in world-readable directories (like /tmp, which is the default by now).
As you'll understand, the possibility of taking over sessions, and that way claiming to be somebody else, can be a serious security hazard. There is a workaround, but IMO, PHP should be as secure as possible without a tricky configuration. Note: this problem is only valid for filebased sessions. [WORKAROUND] A workaround is to create a directory which is only readable by the user who runs the webserver. [PROPOSAL] Instead of directly using the session-id, an alternate id which depends on the session-id and possibly some client-specific data should be used to construct a filename to store the session data. A good option would be, IMO, creating a MD5 hash of the session-id and some client-specific data, like his IP address. That MD5 hash will be the alternate id used to construct the filename to store the session data. [ADVANTAGES] No tricky configuration necessary to assure a safe session-setup. [DISADVANTAGES] There's a slight overhead involved in creating the hash to construct the filename with the session data for each request. Unfortunately my C skills and my knowlegde of PHP internals are by far not supporting to implement this. However, I would like hear any reactions on this proposal. Sander -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
