Understanding session save path as no value and security

php security session session-variables
jason328 picture jason328 · Oct 4, 2012 · Viewed 12.4k times · Source

I only use sessions to store variables and was hoping to ensure that the session save path could not be tampered with by any of the users. So I went to check my phpinfo and found that the session save path was set to no value. Is this normal for users who only use sessions for variables? Do I have anything to worry about if the sessions save path is set to no value?

Answer

newfurniturey picture newfurniturey · Oct 4, 2012

The default value for the session.save_path setting is "" (empty string), which defaults to /tmp.

From a "working" standpoint, there is no need to worry that it's set to no value (as that's the default); however, from a security standpoint there is.

Warning from the manual:

If you leave this set to a world-readable directory, such as /tmp (the default), other users on the server may be able to hijack sessions by getting the list of files in that directory.

Related questions

"Keep Me Logged In" - the best approach

My web application uses sessions to store information about the user once they've logged in, and to maintain that information as they travel from page to page within the app. In this specific application, I'm storing the user_id, first_…

Read More
How to properly add cross-site request forgery (CSRF) token using PHP

I am trying to add some security to the forms on my website. One of the forms uses AJAX and the other is a straightforward "contact us" form. I'm trying to add a CSRF token. The problem I'm having is …

Read More
PHP Session Fixation / Hijacking

I'm trying to understand more about PHP Session Fixation and hijacking and how to prevent these problems. I've been reading the following two articles on Chris Shiflett's website: Session Fixation Session Hijacking However, I'm not sure I'm understanding things correctly. …

Read More