One thing that I did that may help.
Every time a session is opened, the system insists on writing to disk on
every page, whether the session is updated or not.
With a lot of users, this is a bit of a system bog.

So, I hold the contents of a session when 'read', in a global variable.
Then, in the write function, I see if it's changed. If it has, I do the
write. If it hasn't, I simply return from the function.

"Mar Tin" <[EMAIL PROTECTED]> wrote in message
> Dear all:
> Until I read the article "PHP Session security"
> (
> I haven't noticed how insecure PHP Sessions are.
> Basically there're 2 problems:
> *) It's possible to hijack a session if you know the
> SID (session id)
>  1) If you're on a shared server (cheap webhosting)
> other users can get the SIDs by doing "ls /tmp/sess_*"
> (/tmp/ is defined on session.save_path on the config
> file, so it may be different).
>  2) When a user clicks on an external link, the
> browser sends the REFERER url and sometimes it
> contains the SID (if session.use_trans_sid is enabled)
> PHP offers a security measure: with
> session.referer_check it will reject SIDs comming from
> other referers, but the referer url can be easily
> forged.
> *) Users can read session data from the session files,
> which are owned by the server process (every user
> which has an account on the webserver can read server
> owned files)
> (If you're intrested in the subject I would recommend
> to read full the article:
> I have developed some functions to avoid this
> problems. They replace the standard session functions
> (using session_set_save_handler), so you only have to
> include the file at the beggining of your script and
> (afaik) you're safe :)
> This is the idea:
> Apart from the session cookie, I set another one (with
> the same name and the string '_sec' appended). On this
> cookie I set a random KEY.
> The name of the file which contains the session data
> is the md5 hash of the SID and the KEY together. This
> turns impossible to guess the session id by looking at
> the filenames.
> To hide the data inside the file, the serialized
> string is crypted using the KEY as password, so nobody
> can see the content of your user's sessions.
> You can find the code here:
> Im looking for suggestions to make it 100% compatible
> with the standard session functions, and I would like
> to hear some thougts about the idea
> Martin Sarsale
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Finance - Get real-time stock quotes

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to