Policy for web apps session storage ?
I've stumbled upon recent discussions about session files storage in two
different contexts recently :
* recently found vulnerabilities by Dmitry E. Oboukhov in twiki (to be
confirmed ) (perl + CGI::Session)
* some session handling in phpgroupware (php5 sessions)
I guess there are at least 2 kinds of security issues here :
* creation of session files in a safe directory of (somehow) temporary
files (at least as long as the web app session is meant to remain
* proper purge of these files not to fill-up disk (web apps may be
exposed, so remote DOS by creating lots of sessions, etc.)
We recently asked on php maintainers list  for policy concerning
these session files handling without definitive answers (for Debian
policy), but to check /usr/share/doc/php5-common/README.Debian.gz ,
which states :
Session files are stored in /var/lib/php5. For security purposes, this
directory is unreadable by non-root users. This means that php5 running
from apache2, for example, will not be able to clean up stale session
files. Instead, we have a cron job run every 30 mins that cleans up
stale session files; /etc/cron.d/php5. You may need to modify how
often this runs, if you've modified session.gc_maxlifetime in your
php.ini; otherwise, it may be too lax or overly aggressive in cleaning
out stale session files.
Andres Salomon <firstname.lastname@example.org> Fri, 03 Sep 2004 03:12:54 -0400
For perl and CGI::Session, I don't know if there are similar guidelines.
With current reflection on use of /tmp, I though I should raise the
issue of such a web app session files management policy in Debian (or at
least best practice suggestions).
Thanks in advance.
Olivier BERGER <email@example.com>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)