Policy for web apps session storage ?

Wed, 13 Aug 2008 06:26:03 -0700 

Hi.

I've stumbled upon recent discussions about session files storage in two
different contexts recently : 
* recently found vulnerabilities by Dmitry E. Oboukhov in twiki (to be
confirmed [0]) (perl + CGI::Session)
* some session handling in phpgroupware (php5 sessions)

I guess there are at least 2 kinds of security issues here : 

* creation of session files in a safe directory of (somehow) temporary
files (at least as long as the web app session is meant to remain
active).

* proper purge of these files not to fill-up disk (web apps may be
exposed, so remote DOS by creating lots of sessions, etc.)

We recently asked on php maintainers list [1] for policy concerning
these session files handling without definitive answers (for Debian
policy), but to check /usr/share/doc/php5-common/README.Debian.gz ,
which states :
        Session storage
        ---------------
        
            Session files are stored in /var/lib/php5.  For security purposes, 
this
            directory is unreadable by non-root users.  This means that php5 
running
            from apache2, for example, will not be able to clean up stale 
session
            files.  Instead, we have a cron job run every 30 mins that cleans up
            stale session files; /etc/cron.d/php5.  You may need to modify how
            often this runs, if you've modified session.gc_maxlifetime in your
            php.ini; otherwise, it may be too lax or overly aggressive in 
cleaning
            out stale session files.  
        
        Andres Salomon <[EMAIL PROTECTED]>  Fri, 03 Sep 2004 03:12:54 -0400

For perl and CGI::Session, I don't know if there are similar guidelines.

With current reflection on use of /tmp, I though I should raise the
issue of such a web app session files management policy in Debian (or at
least best practice suggestions).

Thanks in advance.

Best regards,

[0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494648
[1]
http://lists.alioth.debian.org/pipermail/pkg-php-maint/2008-May/003969.html
-- 
Olivier BERGER <[EMAIL PROTECTED]>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to