php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #76977 include session.save_path in session.security.ini.php
Submitted: 2018-10-05 13:02 UTC Modified: 2020-08-13 13:23 UTC
From: anders dot henke at 1und1 dot de Assigned: cmb (profile)
Status: Closed Package: Documentation problem
PHP Version: Irrelevant OS: n/a
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: anders dot henke at 1und1 dot de
New email:
PHP Version: OS:

 

 [2018-10-05 13:02 UTC] anders dot henke at 1und1 dot de 
Description:
------------
http://php.net/manual/en/session.configuration.php#ini.session.save-path
does quote a warning to avoid world-readable directories, as those may be used to hijack user sessions.

http://php.net/manual/en/session.security.ini.php
is a reference page for security-related ini-settings used in session handling; this page does not describe session.save_path, even though PHP does provide an insecure default for session.save_path.


Expected result:
----------------
Due to the default for session.save_path being $TMPDIR (a world-readable directory) and the security impact regarding world-readable directories also documented in http://php.net/manual/en/session.configuration.php#ini.session.save-path, I do  recommend to include the security impact of session.save_path's default value in session.security.ini.php as well.



Actual result:
--------------
http://php.net/manual/en/session.security.ini.php does not describe session.save_path, even though PHP does provide an insecure default for session.save_path and not changing the default can result in session hijacking between multiple websites sharing the same session.save_path.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-10-05 13:18 UTC] anders dot henke at 1und1 dot de 
Notice: http://php.net/manual/en/memcached.sessions.php does also use session.save_path in a similar way with similar security impact, but does also miss a warning of sharing the same session.save_path (memcached instance) for mutual-untrusted websites.
 [2020-08-13 13:23 UTC] cmb@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb
 [2020-08-13 13:23 UTC] cmb@php.net 
Fixed with <http://svn.php.net/viewvc?view=revision&revision=350307>.
 [2020-08-13 13:24 UTC] phpdocbot@php.net 
Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=doc/en.git;a=commit;h=418de4470840c212677d03adb64c372f77fdf510
Log: Fix #76977: include session.save_path in session.security.ini.php
 [2020-08-14 02:10 UTC] phpdocbot@php.net 
Automatic comment on behalf of mumumu
Revision: http://git.php.net/?p=doc/ja.git;a=commit;h=17d6493dcb23c7c272e1c96248ab78a3088a32de
Log: Fix #76977: include session.save_path in session.security.ini.php
 [2020-12-30 11:59 UTC] nikic@php.net 
Automatic comment on behalf of mumumu
Revision: http://git.php.net/?p=doc/ja.git;a=commit;h=d1b1c6f3b5e4f0b9a8fe8491db3fc6bb3c97215c
Log: Fix #76977: include session.save_path in session.security.ini.php
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat Jul 12 05:01:33 2025 UTC