Issue with PHP Sessions

jaydadhania08 · April 30, 2018, 5:21am

Hello there, I tried fiddling with PHP Sessions but found some serious issues.

With default settings, using PHP’s native function session_start() will create the session storage file in WINDOWS TEMP directory, which is highly unsecure. Anyone can read the files and is free to alter anything.

Changing the default session storage path with ini_set(“session.save_path”, “/”) saves the subsequent sessions in the DATA folder that stays beside the application.
Again, this is also highly unsecure, as the sessions files are still open to everyone.

Is there any way the sessions files are saved only in the memory (RAM) along with all other PHP files? This would really help me a lot in my application which uses sessions.

Of course, the session files need not be persistent, and I’m okay if they are destroyed when the application is closed. I just want the session files to be stored securely in memory.

I also know about custom session handling methods that work with databases, but that would increase the load on the database server (MariaDB), because there are going to be a lot of requests.

I hope to get a solution quickly.

Thanks,
Jay Dadhania.

jaydadhania08 · May 11, 2018, 9:38pm

@gdgsupport
It’s been more than a week with no response. Please reply with something. If you’re planning to fix, say when to expect the fix. If you’re not, please say so, so I can move on to an alternative method for sessions.

Thanks,
Jay Dadhania.

gdgsupport · May 14, 2018, 8:33pm

Just to let you know that we added the possibility to store session as virtual files in the future update of ExeOutput. However, keep in mind that anything clear in RAM can also be dumped. If you deal with sensitive data in your sessions, why not encrypt it?

jaydadhania08 · May 14, 2018, 8:32pm

Thank you for the reply!
Of course, encryption will be needed, but my concern was more with the location of files.

As it is currently, session files are saved in Windows Temp directory. When someone clears the temp directory, sessions are lost. We can of course change the path to Data directory. But the issue is the ease with which files can be read/modified/deleted. Apparently it is easier to read or delete a file from plain hard disk than in RAM. (I may be too stupid to state this, but for me that is so.)

Also, it’s awesome that you have decided to move the sessions into virtual memory. Thank you very much!

Gilmichel · May 16, 2018, 4:43pm

http://php.net/manual/fr/function.session-save-path.php

gdgsupport · September 17, 2018, 4:51pm

Added the possibility in ExeOutput 2018.2: see how to choose virtual path for sessions files here
http://www.exeoutput.com/help/cookies

jaydadhania08 · September 18, 2018, 8:56am

Good to know!!

oldteacher · May 18, 2021, 2:56am

Know this old, but was going to open new topic about same issue. Seems there are no docs about choosing virtual path.

Your link is dead and see nothing in new docs.

Wukong · May 18, 2021, 8:05pm

Hi, may be what you are looking for : About PHP Session and Cookies - ExeOutput for PHP Documentation

oldteacher · May 18, 2021, 9:00pm

Thank you @Wukong ! Missed that info in my search, that is very good information.