This post continues on from my previous post with an overview of all the PHP session security issues, this one will be the first in the series to start going into more specific detail about each point I made previously.
Session storage directory
This is the directory storing the files the session data is saved in, by default this is in the /tmp directory of your server. The main problem with this comes on a shared server where all session data for all sites hosted on that server are stored in the /tmp directory and everyone using that server has access to it, as mentioned in my previous post the data stored in this file is serialised but is in no way encrypted or secured.
This isn't quite as bad as it sounds because anyone who looks at this won't be able to figure out which domain on that server each session relates to but they will be able to see all the session ids and data stored within them. Hopefully you haven't been storing sensitive data in session variables so any information they do find won't be of any use but knowing all those session ids is one of the first steps to hijacking a session, more on that in a separate post.
This is quite an easy one to fix as there are a few ways of getting around it such as storing all session data in a database, creating your own session handler or easiest of all changing the location of where your session files are stored. I'll be covering the last of these here as this series of posts is about the default PHP session handler but you can Google around and find more information about the other two pretty easily. I'll hopefully get around to writing a post at some point about them myself though.
To change the location of where sessions are stored you'll need to use the session_save_path() function and make sure that the directory you save to is secured so that people outside the server cannot list or open files in the directory. There are two ways of doing this that I can think of, the first would be to use directory and file permissions (here is a good summary) and the second would be to use .htaccess settings (here is a good article on it).
I hope this has been helpful, the next post will be about storing the session id on the client.
Other parts in this series:
- Part 1 - Considerations
- Part 2 - Session storage on your server (you're already here)
- Part 3 - Session ID storage on the client
- Part 4 - Secure connections
- Part 5 - Session fixation