Friday, July 1, 2011

Making php control sessions

PHP can be insecure using session variables. One reason is because if you are on a shared host like Dreamhost or godaddy you have other people on your server and the default place to store session files with your session_id and session data is /tmp which anyone can read and use that information for anything they want. I just looked in the tmp folder on a shared host and there were 14000 session files from the last 2 days. That's not good at all. First thing you should do is move the place it is stored to a place in your home directory so only you can read them.
Fix this with the following change to your php.ini file. Make sure to make this new folder writable too.
change this:
session.save_path = "/tmp"
to this:
session.save_path = "/home/username/tmp"

Also change your default session name so anyone looking at your website be not recognize the session_id when they see it:
change this:
session.name = PHPSESSID
to something like this:
session.name = fh4hd4kjddj5fhk2jdkjfh


I made a demo of how to make this work completely with MySQL using this code:
http://www.josephcrawford.com/php-articles/going-deep-inside-php-sessions/
There were some problems with his code so I am putting a version here that works including a demo page for running it.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)