How Easy Is It to Hijack Session Vars on GoDaddy (

2019-03-31 12:38发布

站内问答 / PHP
1364 5 6

This question already has an answer here:

This article states that

If your site is run on a shared Web server, be aware that any session variables can easily be viewed by any other users on the same server.

On a larger host like GoDaddy, are there really no protections in place against this? Could it really be that easy? If it is that easy, where are the session vars of the other users on my host so I can check them out?

5条回答
2楼-- · 2019-03-31 13:21

It is ridiculously easy because by default php.ini#session.save_path points to /tmp on Linux installs and similar for Windows. This is bad because most users have read and write privileges to /tmp because they need them. You can protect against this by storing your sesion state in the database or by changing were your PHP application stores it's session files, using session_save_path

查看更多
0人赞 添加讨论(0) 举报
我命由我不由天
3楼-- · 2019-03-31 13:28

I suggesst you to store session data in DB to avoid these problems, it has the additional benefit to ease accesss live information from user's sessions.

查看更多
0人赞 添加讨论(0) 举报
等我变得足够好
4楼-- · 2019-03-31 13:29

The session files by default are stored in the location given by the session.save_path in php.ini. While this can be defined separately for each vhost, the files have to be readable by the httpd process, and so if you know the location, your script could read the session files from another vhost.

You could store your sessions in a database (for example, using ADODb), assuming other users of the server can't read your PHP sources to learn your db credentials!

查看更多
0人赞 添加讨论(0) 举报
爷的心禁止访问
5楼-- · 2019-03-31 13:32

use session.save_path to set, save, and handle your visitors sessions only within your account space whenever you are on a shard host.

then no one but you and your hosts employees with directory access can access them.

NEVER rely on default session handlers/location on a shared host!

<?php

        $handle = opendir(session_save_path());
        if ($handle == false)
            {
                return -1;
            }
        while (($file = readdir($handle)) !== false)
            {
                echo session_save_path() . '/' . $file .':<BR />';
                if (ereg("^sess", $file))
                    {
                        $file_array = file(session_save_path() . '/' . $file);
                        foreach ($file_array as $this_line)
                            {
                                echo $this_line."<BR />";
                            }
                echo '<BR /><BR />';

                    }
            }
        closedir($handle);

?>
查看更多
0人赞 添加讨论(0) 举报
对你真心纯属浪费
6楼-- · 2019-03-31 13:33

If you're using PHP and worried about session hijacking, check out session_regenerate_id (Link to Manual).

This won't solve the problem of the session_save paths being public as mentioned by others here, but it should prevent 99.999% of hijacking attmepts.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)