> Found this article and need the experts to consult on the statement "avoid
> the session mechanism". Is this a true problem? And what should we do if
> we cannot have a dedicated server to ourselves?
>
> http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/php.html
>
>
> Avoid the session mechanism. The ``session'' mechanism is handy for
storing
> persistent data, but its current implementation has many problems. First,
by
> default sessions store information in temporary files - so if you're on a
> multi-hosted system, you open yourself up to many attacks and revelations.
> Even those who aren't currently multi-hosted may find themselves
> multi-hosted later! You can "tie" this information into a database instead
> of the filesystem, but if others on a multi-hosted database can access
that
> database with the same permissions, the problem is the same. There are
also
> ambiguities if you're not careful (``is this the session value or an
> attacker's value''?) and this is another case where an attacker can force
a
> file or key to reside on the server with content of their choosing - a
> dangerous situation - and the attacker can even control to some extent the
> name of the file or key where this data will be placed.
The thing to do would be to store the sessions in a more private place such
as in a MySQL database. Here's what I use to handle sessions
<?
$dbhost = "localhost";
$dbuser = "root";
$dbpasswd = "password";
$dbname = "sessions";
$sdbh = "";
$expire = 900;
function sess_open($save_path, $session_name){
global $dbhost, $dbuser, $dbpasswd, $sdbh;
if (! $sdbh = mysql_pconnect($dbhost, $dbuser, $dbpasswd)){
echo mysql_error();
exit;
}
return true;
}
function sess_close(){
return true;
}
function sess_read($key){
global $sdbh, $dbname, $tb_sessions;
$query = "
select
data
from
$tb_sessions
where
id = '$key'
and
expire > UNIX_TIMESTAMP()
";
$result = sql_query($query);
if($record = mysql_fetch_row($result)){
return $record[0];
} else {
return false;
}
}
function sess_write($key, $val){
global $sdbh, $dbname, $tb_sessions, $expire;
$value = addslashes($val);
$query = "
replace into
$tb_sessions
values (
'$key',
'$value',
UNIX_TIMESTAMP() + $expire
)
";
$result = sql_query($query);
echo mysql_error();
return $result;
}
function sess_destroy($key){
global $sdbh, $dbname, $tb_sessions;
$query = "
delete from
$tb_sessions
where
id = '$key'
";
$result = sql_query($query);
return $result;
}
function sess_gc($maxlifetime){
global $sdbh, $dbname, $tb_sessions;
$query = "
delete from
$tb_sessions
where
expire < UNIX_TIMESTAMP()
";
$result = sql_query($query);
return mysql_affected_rows($sdbh);
}
session_set_save_handler("sess_open","sess_close","sess_read","sess_write","
sess_destroy","sess_gc");
session_start();
$sn = session_name();
$sid = session_id();
?>
The sessions table should look like:
CREATE TABLE sessions (
id varchar(32) NOT NULL default '',
data text NOT NULL,
expire int(11) unsigned NOT NULL default '0',
PRIMARY KEY (id)
)
------------------------------------------------------------------------
Greg Donald - http://destiney.com/
http://phprated.com/ | http://phplinks.org/ | http://phptopsites.com/
------------------------------------------------------------------------
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
