2

Have a questions, looking for an expert opinion

If a website is registered with a hosting company over a shared platform, then could that website's session variables be hacked by others working on the same shared platform?

Thank You.

Dip M
  • 71
  • 6
  • 1
    Please [ask one question at a time](http://meta.stackexchange.com/questions/39223/one-post-with-multiple-questions-or-multiple-posts). – ChrisGPT was on strike Feb 09 '15 at 00:32
  • 3
    unless your host is an idiot, your as safe as you are on a non shared platform –  Feb 09 '15 at 00:37
  • possible duplicate of [what is the efficient way to secure a session variable in php?](http://stackoverflow.com/questions/2144429/what-is-the-efficient-way-to-secure-a-session-variable-in-php) – l'L'l Feb 09 '15 at 00:40

2 Answers2

1

I'd say shared hosts are less secure in that regard, as I've personally seen several shared hosts where everybody could view the temp folder where session files are stored. As php default dictates, file names equal session ID, meaning I could from there easily go to the corresponding site, put in the file name into a cookie, and thus hijack the session.

As mentioned in other answers and comments, competent hosts may avoid this through proper administration and sandboxing. Investigate yours.

There's also alternative session storage methods, such as through database. One could also regenerate the session ID often, to decrease the window for any potential hijack. Take a look at http://php.net/manual/en/session.security.php and http://php.net/manual/en/class.sessionhandler.php for some more details.

All that said, you're still better off avoiding sensitive data in session variables altogether.

Dellkan
  • 1,861
  • 11
  • 15
  • its not the hosts fault if a site owner does not specify a session storage directory under there own account –  Feb 09 '15 at 01:13
  • It is if this directory is shared with others. – FloydThreepwood Feb 09 '15 at 01:32
  • Thanks Dellkan, your post has very helpful information in this regard. – Dip M Feb 09 '15 at 07:06
  • @Dagon Yeah, actually, it kind of is. There's such a thing as sensible default. Most people won't know the what's and why. The host shouldn't have a gaping security hole to anyone who didn't happen to think of changing session storage directory. Especially so when it comes to sessions, where even knowing the filenames can be enough. – Dellkan Feb 09 '15 at 08:06
  • you shouldn't be deploying\developing a web site if you don't know what you are doing –  Feb 09 '15 at 19:39
-1

At first you should ask yourself: Who do you trust? Sessions exist (besides sharing data between requests) to enable the developer to store and controll data outside the users reach. This was the problem and this is solved by sessions.

If you are in a shared environment it is possible for other processes and users to access your stored information and change it, but - and that's a big one - it is also possible for them to access your database and your code. So there is nothing to really help you in the case of evil attackers from within your system.

The only thing that will help is competent administration. In shared environments it is crucial to sandbox each application running on the server. They have to set session_save_path on a per user base, just as they should do with everything else.

FloydThreepwood
  • 1,587
  • 14
  • 24