PHP :: Doc Bug #8189 :: storing sessions in world readable directory

Doc Bug #8189	storing sessions in world readable directory
Submitted:	2000-12-09 23:37 UTC	Modified:	2001-01-22 21:05 UTC
From:	dig at cynosure dot com	Assigned:
Status:	Closed	Package:	Documentation problem
PHP Version:	4.0.3pl1	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	dig at cynosure dot com
New email:
PHP Version:		OS:

New Comment:

[2000-12-09 23:37 UTC] dig at cynosure dot com

By default, session files are stored in /tmp by default, unless changed by sessions.save_path. Although the session files are not world-readable, the directory itself is, and any user on the system can get a list of sessionids by just looking at the filenames.  If sessions are being used to track logins, a malicious user could hijack another person's login by copying his session-id into a URI. This could present a serious security risk depending on the application's use of sessions.

The simplest protection is to set sessions.save_path to a directory owned by the user PHP runs under, and chmod 700 that directory.  This prevents easy viewing of existing session IDs.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2001-01-22 21:05 UTC] jimw@php.net

added a warning.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu May 08 01:01:27 2025 UTC