[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Policy for web apps session storage ?


I've stumbled upon recent discussions about session files storage in two
different contexts recently : 
* recently found vulnerabilities by Dmitry E. Oboukhov in twiki (to be
confirmed [0]) (perl + CGI::Session)
* some session handling in phpgroupware (php5 sessions)

I guess there are at least 2 kinds of security issues here : 

* creation of session files in a safe directory of (somehow) temporary
files (at least as long as the web app session is meant to remain

* proper purge of these files not to fill-up disk (web apps may be
exposed, so remote DOS by creating lots of sessions, etc.)

We recently asked on php maintainers list [1] for policy concerning
these session files handling without definitive answers (for Debian
policy), but to check /usr/share/doc/php5-common/README.Debian.gz ,
which states :
        Session storage
            Session files are stored in /var/lib/php5.  For security purposes, this
            directory is unreadable by non-root users.  This means that php5 running
            from apache2, for example, will not be able to clean up stale session
            files.  Instead, we have a cron job run every 30 mins that cleans up
            stale session files; /etc/cron.d/php5.  You may need to modify how
            often this runs, if you've modified session.gc_maxlifetime in your
            php.ini; otherwise, it may be too lax or overly aggressive in cleaning
            out stale session files.  
        Andres Salomon <dilinger@debian.org>  Fri, 03 Sep 2004 03:12:54 -0400

For perl and CGI::Session, I don't know if there are similar guidelines.

With current reflection on use of /tmp, I though I should raise the
issue of such a web app session files management policy in Debian (or at
least best practice suggestions).

Thanks in advance.

Best regards,

[0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494648
Olivier BERGER <olivier.berger@it-sudparis.eu>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)

Reply to: