php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #76977 include session.save_path in session.security.ini.php
Submitted: 2018-10-05 13:02 UTC Modified: 2018-10-05 19:25 UTC
From: anders dot henke at 1und1 dot de Assigned:
Status: Open Package: Documentation problem
PHP Version: Irrelevant OS: n/a
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2018-10-05 13:02 UTC] anders dot henke at 1und1 dot de
Description:
------------
http://php.net/manual/en/session.configuration.php#ini.session.save-path
does quote a warning to avoid world-readable directories, as those may be used to hijack user sessions.

http://php.net/manual/en/session.security.ini.php
is a reference page for security-related ini-settings used in session handling; this page does not describe session.save_path, even though PHP does provide an insecure default for session.save_path.


Expected result:
----------------
Due to the default for session.save_path being $TMPDIR (a world-readable directory) and the security impact regarding world-readable directories also documented in http://php.net/manual/en/session.configuration.php#ini.session.save-path, I do  recommend to include the security impact of session.save_path's default value in session.security.ini.php as well.



Actual result:
--------------
http://php.net/manual/en/session.security.ini.php does not describe session.save_path, even though PHP does provide an insecure default for session.save_path and not changing the default can result in session hijacking between multiple websites sharing the same session.save_path.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-10-05 13:18 UTC] anders dot henke at 1und1 dot de
Notice: http://php.net/manual/en/memcached.sessions.php does also use session.save_path in a similar way with similar security impact, but does also miss a warning of sharing the same session.save_path (memcached instance) for mutual-untrusted websites.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Jul 21 14:01:25 2019 UTC