php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #76977 include session.save_path in session.security.ini.php
Submitted: 2018-10-05 13:02 UTC Modified: 2018-10-05 19:25 UTC
From: anders dot henke at 1und1 dot de Assigned:
Status: Open Package: Documentation problem
PHP Version: Irrelevant OS: n/a
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: anders dot henke at 1und1 dot de
New email:
PHP Version: OS:

 

 [2018-10-05 13:02 UTC] anders dot henke at 1und1 dot de
Description:
------------
http://php.net/manual/en/session.configuration.php#ini.session.save-path
does quote a warning to avoid world-readable directories, as those may be used to hijack user sessions.

http://php.net/manual/en/session.security.ini.php
is a reference page for security-related ini-settings used in session handling; this page does not describe session.save_path, even though PHP does provide an insecure default for session.save_path.


Expected result:
----------------
Due to the default for session.save_path being $TMPDIR (a world-readable directory) and the security impact regarding world-readable directories also documented in http://php.net/manual/en/session.configuration.php#ini.session.save-path, I do  recommend to include the security impact of session.save_path's default value in session.security.ini.php as well.



Actual result:
--------------
http://php.net/manual/en/session.security.ini.php does not describe session.save_path, even though PHP does provide an insecure default for session.save_path and not changing the default can result in session hijacking between multiple websites sharing the same session.save_path.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-10-05 13:18 UTC] anders dot henke at 1und1 dot de
Notice: http://php.net/manual/en/memcached.sessions.php does also use session.save_path in a similar way with similar security impact, but does also miss a warning of sharing the same session.save_path (memcached instance) for mutual-untrusted websites.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Oct 20 21:01:27 2019 UTC