HomeArchives → by date → November 2002 → November 24 →

PHP Session Security

<< Previous Entry | Next Entry>>

"If you are having your Web site hosted on a shared server, chances are that other customers on the same server can have full access to your application and your data, due to [an] inadequate PHP engine configuration. [...] One part of the problem is in the default configuration of the session module." Basically, as the session files are normally owned by the server process, users having an account on the server can read session data from these files, learn the session ID, then forge the referer URL accordingly to fool session.referer_check and thus hijack a session.

In practice, things might be a bit more difficult of course and chances are your web hoster took some precautions. But if you have to run an important application on a shared server, perhaps have a look at Martin Sarsale's session function replacements he wrote in reply to a webkreator.com note on the subject.

Comments

Comments are closed at the moment. I will post a blog entry as soon as they are available again.

-->

Tools

Recent Comments

Guido Albers on Common Questions (I) at 2006-09-18 19:40
Guido Albers on Common Questions (I) at 2006-09-18 19:39
Sean Roach on World Champion at 2006-09-18 18:52
Frank Kanzler on RSS Feed Reader / News Aggregators Directory at 2006-09-18 15:11
Walter Rafelsberger on Mapping and Visualization Resources at 2006-09-18 03:54
Pieter on Hunters, after all, aren't cooks at 2006-09-14 19:26
Haiko Hebig on Pentax K10D announced (Updated) at 2006-09-13 22:25
Pieter on Pentax K10D announced (Updated) at 2006-09-13 20:04
Donald L Pevsner on Concorde Retirement Update at 2006-09-06 21:01
John Best on RSS Feed Reader / News Aggregators Directory at 2006-08-19 17:49
Titov Denis on RSS Feed Reader / News Aggregators Directory at 2006-08-17 11:20
Haiko Hebig on WASP - Wild Child at 2006-08-07 10:14
Guido Albers on WASP - Wild Child at 2006-08-06 09:43
Frank Wenger on RSS Feed Reader / News Aggregators Directory at 2006-08-04 14:22
Hemaworstje on Spare Part at 2006-08-01 03:55
T.Reader on RSS Feed Reader / News Aggregators Directory at 2006-07-29 09:27
ניו יורק on General Blumenthal Coal at 2006-07-28 22:50
Moritz on "Zwar haben einige Genossen die Dinge zu einseitig gesehen, aber ..." at 2006-07-14 12:12
Pieterjan Lansbergen on Nothing better than a Hill Climb in the Morning at 2006-07-13 20:33
at on Es muss schließlich alles seine Ordnung haben at 2006-07-12 11:33