On Fri, April 21, 2006 6:28 am, Ben Liu wrote: > Yes, Chuck is correct here. The security issue I raised has to do > with multiple users on the same shared server, which is how some > hosting companies manage their clients. Each user may have a > different home directory and has separation from other users, > however, usually the same /tmp directory is used to store all the > session cookies for all the users on the server. By running a simple > script in your area you can read all the sessions managed by the > server including sessions generated by other users. By moving the > session cookies to a directory within your own user area it may make > them more difficult to find, but it does not guarantee security as > Chuck points out. This is discussed at [http://php.net/manual/en/ > ref.session.php] as pointed out by Jochem.
I wouldn't rely on the home directories and open_basedir as a real super big security fence... I believe that on some versions of PHP on some servers under some httpd.conf setting which seem perfectly reasonable, a symlink from a directory within open_basedir to a file you really shouldn't be able to read lets you in. Or, at least, I know I have used something like this to help people retrieve files for which they managed to lose access through sheer stupidity. The restrictions PHP can impose are, really, kind of just hacks to try to fix something that is basically way outside the realm and control of PHP in the first place. They're useful hacks, mind, and will stop the casual snoop. But it's not something to bet the bank on. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
