Policy for web apps session storage ?
Hi.
I've stumbled upon recent discussions about session files storage in two
different contexts recently :
* recently found vulnerabilities by Dmitry E. Oboukhov in twiki (to be
confirmed [0]) (perl + CGI::Session)
* some session handling in phpgroupware (php5 sessions)
I guess there are at least 2 kinds of security issues here :
* creation of session files in a safe directory of (somehow) temporary
files (at least as long as the web app session is meant to remain
active).
* proper purge of these files not to fill-up disk (web apps may be
exposed, so remote DOS by creating lots of sessions, etc.)
We recently asked on php maintainers list [1] for policy concerning
these session files handling without definitive answers (for Debian
policy), but to check /usr/share/doc/php5-common/README.Debian.gz ,
which states :
Session storage
---------------
Session files are stored in /var/lib/php5. For security purposes, this
directory is unreadable by non-root users. This means that php5 running
from apache2, for example, will not be able to clean up stale session
files. Instead, we have a cron job run every 30 mins that cleans up
stale session files; /etc/cron.d/php5. You may need to modify how
often this runs, if you've modified session.gc_maxlifetime in your
php.ini; otherwise, it may be too lax or overly aggressive in cleaning
out stale session files.
Andres Salomon <dilinger@debian.org> Fri, 03 Sep 2004 03:12:54 -0400
For perl and CGI::Session, I don't know if there are similar guidelines.
With current reflection on use of /tmp, I though I should raise the
issue of such a web app session files management policy in Debian (or at
least best practice suggestions).
Thanks in advance.
Best regards,
[0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494648
[1]
http://lists.alioth.debian.org/pipermail/pkg-php-maint/2008-May/003969.html
--
Olivier BERGER <olivier.berger@it-sudparis.eu>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)
Reply to: