Re: [Phplib-users] Sessions where are we going??
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] Sessions where are we going??
|
From: Michael C. <mdc...@mi...> - 2002-07-01 14:52:48
|
On Mon, Jul 01, 2002 at 10:37:59AM +0100, Donncha O Caoimh wrote: > Take a look at this site, which I linked to from my howto last week, it should > help solve some of the security issues with php4 sessions. > > http://www.webkreator.com/php/configuration/php-session-security.html > > Basically, each vhost gets its own directory, and even session name. That > should help to stop people stealing sessions from one vhost to another. If > you can chmod 700 and chown nobody:nobody the directory then local users > can't inspect those directories (unless they look at them through a script > running as nobody of course but the same applies to using a db as a backend, > almost) From the phpauth docs: php_admin_value safe_mode 1 php_admin_value open_basedir /home/mdchaney php_admin_value safe_mode_exec_dir /dev/null php_admin_value safe_mode_allowed_env_vars PHP_ php_admin_value safe_mode_protected_env_vars LD_LIBRARY_PATH php_admin_value disable_functions system You can force PHP to confine itself to one directory, so people can't use it to view files outside their site. One should be able to make a site reasonably secure in this way. Michael -- Michael Darrin Chaney mdc...@mi... http://www.michaelchaney.com/ |
