PHP :: Doc Bug #8189 :: storing sessions in world readable directory

Doc Bug #8189	storing sessions in world readable directory
Submitted:	2000-12-09 23:37 UTC	Modified:	2001-01-22 21:05 UTC
From:	dig at cynosure dot com	Assigned:
Status:	Closed	Package:	Documentation problem
PHP Version:	4.0.3pl1	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	dig at cynosure dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2000-12-09 23:37 UTC] dig at cynosure dot com

By default, session files are stored in /tmp by default, unless changed by sessions.save_path. Although the session files are not world-readable, the directory itself is, and any user on the system can get a list of sessionids by just looking at the filenames.  If sessions are being used to track logins, a malicious user could hijack another person's login by copying his session-id into a URI. This could present a serious security risk depending on the application's use of sessions.

The simplest protection is to set sessions.save_path to a directory owned by the user PHP runs under, and chmod 700 that directory.  This prevents easy viewing of existing session IDs.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2001-01-22 21:05 UTC] jimw@php.net

added a warning.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu May 08 01:01:27 2025 UTC