Issue with PHP Sessions

jaydadhania08 · 2018-04-30 05:21:19 UTC

Hello there, I tried fiddling with PHP Sessions but found some serious issues.

With default settings, using PHP’s native function session_start() will create the session storage file in WINDOWS TEMP directory, which is highly unsecure. Anyone can read the files and is free to alter anything.

Changing the default session storage path with ini_set(“session.save_path”, “/”) saves the subsequent sessions in the DATA folder that stays beside the application.
Again, this is also highly unsecure, as the sessions files are still open to everyone.

Is there any way the sessions files are saved only in the memory (RAM) along with all other PHP files? This would really help me a lot in my application which uses sessions.

Of course, the session files need not be persistent, and I’m okay if they are destroyed when the application is closed. I just want the session files to be stored securely in memory.

I also know about custom session handling methods that work with databases, but that would increase the load on the database server (MariaDB), because there are going to be a lot of requests.

I hope to get a solution quickly.

Thanks,
Jay Dadhania.

jaydadhania08 · 2018-05-11 21:38:15 UTC

@gdgsupport
It’s been more than a week with no response. Please reply with something. If you’re planning to fix, say when to expect the fix. If you’re not, please say so, so I can move on to an alternative method for sessions.

Thanks,
Jay Dadhania.

gdgsupport · 2018-05-13 17:25:48 UTC

Just to let you know that we added the possibility to store session as virtual files in the future update of ExeOutput. However, keep in mind that anything clear in RAM can also be dumped. If you deal with sensitive data in your sessions, why not encrypt it?

jaydadhania08 · 2018-05-14 20:32:43 UTC

Thank you for the reply!
Of course, encryption will be needed, but my concern was more with the location of files.

As it is currently, session files are saved in Windows Temp directory. When someone clears the temp directory, sessions are lost. We can of course change the path to Data directory. But the issue is the ease with which files can be read/modified/deleted. Apparently it is easier to read or delete a file from plain hard disk than in RAM. (I may be too stupid to state this, but for me that is so.)

Also, it’s awesome that you have decided to move the sessions into virtual memory. Thank you very much!

Gilmichel · 2018-05-16 16:43:29 UTC

http://php.net/manual/fr/function.session-save-path.php

gdgsupport · 2018-09-17 16:51:05 UTC

Added the possibility in ExeOutput 2018.2: see how to choose virtual path for sessions files here
http://www.exeoutput.com/help/cookies

jaydadhania08 · 2018-09-18 08:56:46 UTC

Good to know!!