Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: PHP session management

Re: PHP session management

From: Matt Rohrer <matt_at_prognostikos.com>
Date: Sun, 26 Oct 2003 13:37:31 +0100

On Sat, Oct 25, 2003 at 06:51:13PM -0400, Gavin Zuchlinski wrote:
> Hi,
> I noticed on a server how PHP creates files in /tmp in the form sess_XXXXXXXXX
> to store session information (of course only readable by the apache user),
> but "XXXXXXXXX" is the actual session ID. If a person has a local access to a
> system using PHP's session management, aren't they able to hijack any
> session? Am I a complete moron and am missing something?

No, you're not missing anything. There's a warning about this in
the manual
http://ww.php.net/manual/en/ref.session.php#ini.session.save-path
along with notes on how to configure PHP to avoid this problem.

In general, the default configuration for session handling does not
favor security. I would look at the page referenced above for
configuration options that can be changed in the interest of security.
I'm not aware of a canonical document describing a secure configuration
for using PHP sessions, though perhaps others on the list can point
you in the right direction.
Received on Oct 26 2003

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]