All geek questions in one place

How to prevent sharing of PHP sessions between different Apache-vhosts?

How to prevent sharing of PHP sessions between different Apache vhosts?

I installed different vhosts on Apache 2.2 and everything works fine until I realized that PHP sessions are shared by default.

+4
source share
2 answers

Editing is also the reason you should ALWAYS set your session_save_path ( http://php.net/manual/en/function.session-save-path.php ) or use database session handling ( http://php.net /manual/en/class.sessionhandler.php ) if you use shared web hosting. Someone can create a session ID and change it to 777 and use this session ID on their site to bypass logins / or get more privileges. It can also be used for SQL injection.

This works because PHP does not provide which session identifiers belong to any site. I know this because I analyzed the C / C ++ source code behind the sessions in PHP, and because I was wondering how this is possible. Therefore, you should never assume too strongly that the $_SESSION is safe for shared web hosting, and you cannot safely use this value in an SQL query.

Some code (session.c file) in PHP from C function php_session_start() ; yes, this function is called when you call session_start() from PHP (and the only check I saw was in these lines of code):

 /* Check whether the current request was referred to by * an external site which invalidates the previously found id. */ if (PS(id) && PS(extern_referer_chk)[0] != '\0' && PG(http_globals)[TRACK_VARS_SERVER] && zend_hash_find(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER]), "HTTP_REFERER", sizeof("HTTP_REFERER"), (void **) &data) == SUCCESS && Z_TYPE_PP(data) == IS_STRING && Z_STRLEN_PP(data) != 0 && strstr(Z_STRVAL_PP(data), PS(extern_referer_chk)) == NULL ) { efree(PS(id)); PS(id) = NULL; PS(send_cookie) = 1; if (PS(use_trans_sid) && !PS(use_only_cookies)) { PS(apply_trans_sid) = 1; } }

The only check is the HTTP header "HTTP_REFERER", but we all know that it can be faked, so this is "security through the unknown." The only safe method is to use session_save_path or use the database session handler.

To install session_save_path in php.ini, you should find out more about http://php.net/manual/en/session.configuration.php .

Or, if PHP works as an Apache module, you can configure it in the htaccess file of the vhost container:

 php_value session.save_path "path"

Or even better than PHPINIDir for each host:

 <VirtualHost ip> [...] PHPINIDir /var/www/... [...] </VirtualHost>

UPDATE [Panic]:

I am simply adding a complete solution to this answer, as this may help other people. An example of a full vhost installation:

 <VirtualHost *:81> DocumentRoot /var/www/xxx1 <Directory "/var/www/xxx1"> AllowOverride All php_value session.save_path "/var/mysessionforproject_1" </Directory> </VirtualHost> <VirtualHost *:82> DocumentRoot /var/www/xxx2 <Directory "/var/www/xxx2"> AllowOverride All php_value session.save_path "/var/mysessionforproject_2" </Directory> </VirtualHost>
+6
source

There is something wrong with your browser if it sends cookies across domains.

Of course, both vhosts using the default session handler will write their session files to the same directory - just redefine it in the Apache vhost configuration:

 <VirtualHost a.example.com> ... php_value session.save_path "2;/var/www/a.example.com/data"
0
source

Source: https://habr.com/ru/post/1497340/

More articles:


All Articles