php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #76977 include session.save_path in session.security.ini.php
Submitted: 2018-10-05 13:02 UTC Modified: 2020-08-13 13:23 UTC
From: anders dot henke at 1und1 dot de Assigned: cmb (profile)
Status: Closed Package: Documentation problem
PHP Version: Irrelevant OS: n/a
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: anders dot henke at 1und1 dot de
New email:
PHP Version: OS:

 

 [2018-10-05 13:02 UTC] anders dot henke at 1und1 dot de
Description:
------------
http://php.net/manual/en/session.configuration.php#ini.session.save-path
does quote a warning to avoid world-readable directories, as those may be used to hijack user sessions.

http://php.net/manual/en/session.security.ini.php
is a reference page for security-related ini-settings used in session handling; this page does not describe session.save_path, even though PHP does provide an insecure default for session.save_path.


Expected result:
----------------
Due to the default for session.save_path being $TMPDIR (a world-readable directory) and the security impact regarding world-readable directories also documented in http://php.net/manual/en/session.configuration.php#ini.session.save-path, I do  recommend to include the security impact of session.save_path's default value in session.security.ini.php as well.



Actual result:
--------------
http://php.net/manual/en/session.security.ini.php does not describe session.save_path, even though PHP does provide an insecure default for session.save_path and not changing the default can result in session hijacking between multiple websites sharing the same session.save_path.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-10-05 13:18 UTC] anders dot henke at 1und1 dot de
Notice: http://php.net/manual/en/memcached.sessions.php does also use session.save_path in a similar way with similar security impact, but does also miss a warning of sharing the same session.save_path (memcached instance) for mutual-untrusted websites.
 [2020-08-13 13:23 UTC] cmb@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb
 [2020-08-13 13:24 UTC] phpdocbot@php.net
Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=doc/en.git;a=commit;h=418de4470840c212677d03adb64c372f77fdf510
Log: Fix #76977: include session.save_path in session.security.ini.php
 [2020-08-14 02:10 UTC] phpdocbot@php.net
Automatic comment on behalf of mumumu
Revision: http://git.php.net/?p=doc/ja.git;a=commit;h=17d6493dcb23c7c272e1c96248ab78a3088a32de
Log: Fix #76977: include session.save_path in session.security.ini.php
 [2020-12-30 11:59 UTC] nikic@php.net
Automatic comment on behalf of mumumu
Revision: http://git.php.net/?p=doc/ja.git;a=commit;h=d1b1c6f3b5e4f0b9a8fe8491db3fc6bb3c97215c
Log: Fix #76977: include session.save_path in session.security.ini.php
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Oct 31 23:01:28 2024 UTC