Policy for web apps session storage ?

To: "debian-devel@lists.debian.org" <debian-devel@lists.debian.org>
Subject: Policy for web apps session storage ?
From: Olivier Berger <olivier.berger@it-sudparis.eu>
Date: Wed, 13 Aug 2008 15:24:35 +0200
Message-id: <[🔎] 1218633875.8314.99.camel@hortense>

Hi.

I've stumbled upon recent discussions about session files storage in two
different contexts recently : 
* recently found vulnerabilities by Dmitry E. Oboukhov in twiki (to be
confirmed [0]) (perl + CGI::Session)
* some session handling in phpgroupware (php5 sessions)

I guess there are at least 2 kinds of security issues here : 

* creation of session files in a safe directory of (somehow) temporary
files (at least as long as the web app session is meant to remain
active).

* proper purge of these files not to fill-up disk (web apps may be
exposed, so remote DOS by creating lots of sessions, etc.)

We recently asked on php maintainers list [1] for policy concerning
these session files handling without definitive answers (for Debian
policy), but to check /usr/share/doc/php5-common/README.Debian.gz ,
which states :
        Session storage
        ---------------
        
            Session files are stored in /var/lib/php5.  For security purposes, this
            directory is unreadable by non-root users.  This means that php5 running
            from apache2, for example, will not be able to clean up stale session
            files.  Instead, we have a cron job run every 30 mins that cleans up
            stale session files; /etc/cron.d/php5.  You may need to modify how
            often this runs, if you've modified session.gc_maxlifetime in your
            php.ini; otherwise, it may be too lax or overly aggressive in cleaning
            out stale session files.  
        
        Andres Salomon <dilinger@debian.org>  Fri, 03 Sep 2004 03:12:54 -0400

For perl and CGI::Session, I don't know if there are similar guidelines.

With current reflection on use of /tmp, I though I should raise the
issue of such a web app session files management policy in Debian (or at
least best practice suggestions).

Thanks in advance.

Best regards,

[0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494648
[1]
http://lists.alioth.debian.org/pipermail/pkg-php-maint/2008-May/003969.html
-- 
Olivier BERGER <olivier.berger@it-sudparis.eu>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)

Reply to:

Prev by Date: Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
Next by Date: Re: feature: to add explanations of recommendations and suggestions dependencies
Previous by thread: Bug#494958: ITP: libconfig-scoped-perl -- feature rich configuration file parser
Next by thread: issues with aptitude dist-upgrade from etch to lenny
Index(es):
- Date
- Thread