PHP :: Sec Bug #76977 :: include session.save_path in session.security.ini.php

Sec Bug #76977	include session.save_path in session.security.ini.php
Submitted:	2018-10-05 13:02 UTC	Modified:	2020-08-13 13:23 UTC
From:	anders dot henke at 1und1 dot de	Assigned:	cmb (profile)
Status:	Closed	Package:	Documentation problem
PHP Version:	Irrelevant	OS:	n/a
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	anders dot henke at 1und1 dot de
New email:
PHP Version:		OS:

New Comment:

[2018-10-05 13:02 UTC] anders dot henke at 1und1 dot de

Description:
------------
http://php.net/manual/en/session.configuration.php#ini.session.save-path
does quote a warning to avoid world-readable directories, as those may be used to hijack user sessions.

http://php.net/manual/en/session.security.ini.php
is a reference page for security-related ini-settings used in session handling; this page does not describe session.save_path, even though PHP does provide an insecure default for session.save_path.


Expected result:
----------------
Due to the default for session.save_path being $TMPDIR (a world-readable directory) and the security impact regarding world-readable directories also documented in http://php.net/manual/en/session.configuration.php#ini.session.save-path, I do  recommend to include the security impact of session.save_path's default value in session.security.ini.php as well.



Actual result:
--------------
http://php.net/manual/en/session.security.ini.php does not describe session.save_path, even though PHP does provide an insecure default for session.save_path and not changing the default can result in session hijacking between multiple websites sharing the same session.save_path.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-10-05 13:18 UTC] anders dot henke at 1und1 dot de

Notice: http://php.net/manual/en/memcached.sessions.php does also use session.save_path in a similar way with similar security impact, but does also miss a warning of sharing the same session.save_path (memcached instance) for mutual-untrusted websites.

[2020-08-13 13:23 UTC] cmb@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb

[2020-08-13 13:23 UTC] cmb@php.net

Fixed with <http://svn.php.net/viewvc?view=revision&revision=350307>.

[2020-08-13 13:24 UTC] phpdocbot@php.net

Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=doc/en.git;a=commit;h=418de4470840c212677d03adb64c372f77fdf510
Log: Fix #76977: include session.save_path in session.security.ini.php

[2020-08-14 02:10 UTC] phpdocbot@php.net

Automatic comment on behalf of mumumu
Revision: http://git.php.net/?p=doc/ja.git;a=commit;h=17d6493dcb23c7c272e1c96248ab78a3088a32de
Log: Fix #76977: include session.save_path in session.security.ini.php

[2020-12-30 11:59 UTC] nikic@php.net

Automatic comment on behalf of mumumu
Revision: http://git.php.net/?p=doc/ja.git;a=commit;h=d1b1c6f3b5e4f0b9a8fe8491db3fc6bb3c97215c
Log: Fix #76977: include session.save_path in session.security.ini.php

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 18 20:01:30 2024 UTC