> Found this article and need the experts to consult on the statement "avoid > the session mechanism". Is this a true problem? And what should we do if > we cannot have a dedicated server to ourselves? > > http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/php.html > > > Avoid the session mechanism. The ``session'' mechanism is handy for storing > persistent data, but its current implementation has many problems. First, by > default sessions store information in temporary files - so if you're on a > multi-hosted system, you open yourself up to many attacks and revelations. > Even those who aren't currently multi-hosted may find themselves > multi-hosted later! You can "tie" this information into a database instead > of the filesystem, but if others on a multi-hosted database can access that > database with the same permissions, the problem is the same. There are also > ambiguities if you're not careful (``is this the session value or an > attacker's value''?) and this is another case where an attacker can force a > file or key to reside on the server with content of their choosing - a > dangerous situation - and the attacker can even control to some extent the > name of the file or key where this data will be placed.
The thing to do would be to store the sessions in a more private place such as in a MySQL database. Here's what I use to handle sessions <? $dbhost = "localhost"; $dbuser = "root"; $dbpasswd = "password"; $dbname = "sessions"; $sdbh = ""; $expire = 900; function sess_open($save_path, $session_name){ global $dbhost, $dbuser, $dbpasswd, $sdbh; if (! $sdbh = mysql_pconnect($dbhost, $dbuser, $dbpasswd)){ echo mysql_error(); exit; } return true; } function sess_close(){ return true; } function sess_read($key){ global $sdbh, $dbname, $tb_sessions; $query = " select data from $tb_sessions where id = '$key' and expire > UNIX_TIMESTAMP() "; $result = sql_query($query); if($record = mysql_fetch_row($result)){ return $record[0]; } else { return false; } } function sess_write($key, $val){ global $sdbh, $dbname, $tb_sessions, $expire; $value = addslashes($val); $query = " replace into $tb_sessions values ( '$key', '$value', UNIX_TIMESTAMP() + $expire ) "; $result = sql_query($query); echo mysql_error(); return $result; } function sess_destroy($key){ global $sdbh, $dbname, $tb_sessions; $query = " delete from $tb_sessions where id = '$key' "; $result = sql_query($query); return $result; } function sess_gc($maxlifetime){ global $sdbh, $dbname, $tb_sessions; $query = " delete from $tb_sessions where expire < UNIX_TIMESTAMP() "; $result = sql_query($query); return mysql_affected_rows($sdbh); } session_set_save_handler("sess_open","sess_close","sess_read","sess_write"," sess_destroy","sess_gc"); session_start(); $sn = session_name(); $sid = session_id(); ?> The sessions table should look like: CREATE TABLE sessions ( id varchar(32) NOT NULL default '', data text NOT NULL, expire int(11) unsigned NOT NULL default '0', PRIMARY KEY (id) ) ------------------------------------------------------------------------ Greg Donald - http://destiney.com/ http://phprated.com/ | http://phplinks.org/ | http://phptopsites.com/ ------------------------------------------------------------------------ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php