There are several bug reports regarding security of sessions on
multi-user environments, there is mail from Peter Brodersen about this
to internals@ (http://news.php.net/php.internals/11549), there is mail
from me with brief summary to security@ and nothing happens.

Don't you mind if I add this warning to PHP manual?

===================================================================
RCS file: /repository/phpdoc/en/reference/session/reference.xml,v
retrieving revision 1.47
diff -u -r1.47 reference.xml
--- reference.xml       20 Jul 2004 01:27:19 -0000      1.47
+++ reference.xml       2 Aug 2004 09:32:32 -0000
@@ -90,7 +90,17 @@
      attacker might listen to your network traffic. If it is not encrypted,
      session ids will flow in plain text over the network. The solution here
      is to implement SSL on your server and make it mandatory for users.
+     Third, session ID can be read from client's system if it is compromited by
+     e.g. virus or security hole in browser or OS.
     </para>
+    <warning>
+     <para>
+      Sessions can be hijacked by other users on multi-user environments
+      regardless of setting <link linkend="ini.safe-mode">safe_mode</link>,
+      <link linkend="ini.open-basedir">open_basedir</link> or
+      <link linkend="ini.session.save-path">session.save_path</link>.
+     </para>
+    </warning>
    </section>
    <section id="session.requirements">
     &reftitle.required;

-- 
Jakub Vrana

Reply via email to