How to prevent PHP sessions being shared between different apache vhosts? -


how prevent php sessions being shared between different apache vhosts?

i've set different vhosts on apache 2.2 , works perfectly, until realized php sessions shared default.

edit reason why should set session_save_path or use database session handling if on shared webhosting. can create session id , chmod 777 , use session id on site bypass logins/or more privileges.

this works because php doesn't enforce session ids belongs site. know because i've analysed c/c++ source code behind sessions in php, , because wondered how possible. never put trust $_session array safe on shared web hosting , can't safely use value in sql query.

some code (file session.c) in php c function php_session_start(); yes, function called when call session_start() php (and check saw in these lines of code):

/* check whether current request referred  * external site invalidates found id. */  if (ps(id) &&         ps(extern_referer_chk)[0] != '\0' &&         pg(http_globals)[track_vars_server] &&         zend_hash_find(z_arrval_p(pg(http_globals)[track_vars_server]), "http_referer", sizeof("http_referer"), (void **) &data) == success &&         z_type_pp(data) == is_string &&         z_strlen_pp(data) != 0 &&         strstr(z_strval_pp(data), ps(extern_referer_chk)) == null ) {     efree(ps(id));     ps(id) = null;     ps(send_cookie) = 1;     if (ps(use_trans_sid) && !ps(use_only_cookies)) {         ps(apply_trans_sid) = 1;     } }

the check http header "http_referer", know can faked, "security through obscurity". safe method use session_save_path or use database session handler.

to set session_save_path in php.ini, should find more information here http://php.net/manual/en/session.configuration.php.

or, if php running apache module, can configure in htaccess file of vhost container:

php_value session.save_path "path"

or better phpinidir per vhost:

<virtualhost ip> [...] phpinidir /var/www/... [...] </virtualhost>

update [panique]:

i'm adding full solution answer, might other people too. sample full vhost setup:

<virtualhost *:81>     documentroot /var/www/xxx1     <directory "/var/www/xxx1">         allowoverride         php_value session.save_path "/var/mysessionforproject_1"    </directory> </virtualhost>  <virtualhost *:82>     documentroot /var/www/xxx2     <directory "/var/www/xxx2">         allowoverride         php_value session.save_path "/var/mysessionforproject_2"    </directory> </virtualhost>

Comments

Post a Comment

Popular posts from this blog

c# - Send Image in Json : 400 Bad request -

from android trying send image class of data, iis webservice. (c#) the problem 400 bad request . the image being encoded base64 . , placed json rest of class elements. my guess base64 not valid inside json. server not understand it. if set string "" , post accepted fine. so question is, how make base64 valid within json array? ( tried url.encode no success). or how should send image android webservice? gson gson = new gson(); string json = gson.tojson(record); // record has param { string base64photo } how big image? i'm pretty sure surpassing iis json size limit (default 4 mb). check http://geekswithblogs.net/frankw/archive/2008/08/05/how-to-configure-maxjsonlength-in-asp.net-ajax-applications.aspx or http://www.webtrenches.com/post.cfm/iis7-file-upload-size-limits good luck!
Read more

jquery - Fancybox - apply a function to several elements -

this source code below posted cristiano g. carvalho in answer question: calling fancybox gallery other link made user. <div class="details_gallery"> <a href="#" class="manualfancybox">manual call fancybox</a> <div class="details_gallery_min"> <a rel="details" href="max/1.jpg" class="fancybox"><img src="min/1.jpg" alt="" /></a> <a rel="details" href="max/2.jpg" class="fancybox"><img src="min/2.jpg" alt="" /></a> <a rel="details" href="max/3.jpg" class="fancybox"><img src="min/3.jpg" alt="" /></a> <a rel="details" href="max/4.jpg" class="fancybox"><img src="min/4.jpg" alt="" /></a> </div> </div> <script> $(document).read
Read more

An easy way to program an Android keyboard layout app -

i program android app replaces standard keyboard 1 one-hand optimized coffee++ keyboard layout. what special problems have face in progress? guess such project go deep android core, cause keyboard such essential thing. is wise start android developer tools (adt)—eclipse plugin described in this tutorial ? or there better way achieve goal? i new android programming, firm in php, mysql , javascript , use eclipse php i guess such project go deep android core, cause keyboard such essential thing. no. can create inputmethodservice implementation of keyboard. there sample soft keyboard in android sdk installation (if chose download sample code sdk manager), , there open source input methods floating around well, such hacker's keyboard. inputmethodservice distributed part of ordinary android application, , user can elect activate input method if user chooses. is wise start android developer tools (adt)—eclipse plugin described in tutorial? that fine s
Read more