Dear all:

Until I read the article "PHP Session security"
I haven't noticed how insecure PHP Sessions are.

Basically there're 2 problems: 

*) It's possible to hijack a session if you know the
SID (session id)

 1) If you're on a shared server (cheap webhosting)
other users can get the SIDs by doing "ls /tmp/sess_*"
(/tmp/ is defined on session.save_path on the config
file, so it may be different).

 2) When a user clicks on an external link, the
browser sends the REFERER url and sometimes it
contains the SID (if session.use_trans_sid is enabled)

PHP offers a security measure: with
session.referer_check it will reject SIDs comming from
other referers, but the referer url can be easily

*) Users can read session data from the session files,
which are owned by the server process (every user
which has an account on the webserver can read server
owned files)

(If you're intrested in the subject I would recommend
to read full the article:

I have developed some functions to avoid this
problems. They replace the standard session functions
(using session_set_save_handler), so you only have to
include the file at the beggining of your script and
(afaik) you're safe :)

This is the idea:

Apart from the session cookie, I set another one (with
the same name and the string '_sec' appended). On this
cookie I set a random KEY.
The name of the file which contains the session data
is the md5 hash of the SID and the KEY together. This
turns impossible to guess the session id by looking at
the filenames.

To hide the data inside the file, the serialized
string is crypted using the KEY as password, so nobody
can see the content of your user's sessions.

You can find the code here:

Im looking for suggestions to make it 100% compatible
with the standard session functions, and I would like
to hear some thougts about the idea

Martin Sarsale

Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to