best place to store session on shared hosting?

additionally, it may help to put them a few levels deep, ex:

/public_html/443f08b7b63a58fb507675d08d39751a/6a204bd89f3c8348afd5c77c717a097a/67af10d3c47bfcc9257483c03e415c73/

Select allOpen in new window

To get the strings, i just put gibberish into an online MD5 generator ....

I would not waste any time on this at all.

Use session_start() at the top of all the scripts.  Place anything you want in the $_SESSION array, and expect to find it there for the duration of the client session.  Problem solved.

Now if there is some other reason why you are concerned, like maybe you do not trust the hosting company or the other users of the hosting service, then you should move to a new host ASAP.

hi

first thanks for the answers. so many options to consider. the most unexpected is Ray`s approach.
how can i know if i can trust other users of the hosting service ? that is why it seems like a good security measure to protect the session.

do you really just start the session and do not use any security measure for it?

obviously you do not want to store critical data in a session but the issue is what you consider  to be a critical data? some data is obviously critical but what about lets say a user id or username fore the sake of a simple login mechanism? and some may say, since we can controll the expiration time of the session its not a huge security issue. not sure where i stand on the issue, but if you work on a site that is already on a shared hosting would you not try to be as secure as possible?

by the way, always nice to hear you contribute to my question.

and sorry is i make mistakes with my english.

Ray has a point about making a judgement on the expected threat levels. Obviously if the data is of low value then any threat against it should also be rated as low. Once money gets involved then things change.

If shared hosting is your concern then moving the sessions out of their normal dumping ground of /tmp or /var/lib/php and placing them within the website folder or in the database will solve most of that issue with little effort on your part. Sensitive data can always be encrypted before placing it in the session and both Ray and I have posted code on EE on how to do this - Ray even has a class for it somewhere.

hi
thanks for the answer. how can i see what you or ray wrote? i tried to searched it but could not found.
what i do already is encryption of even simple data. maybe i`m trying too mush:)

OK - here's a class from our code library. You can either supply it with your own keys or let it generate its own. I prefer to let it generate its own keys as they are random.

<?php
/*
 * gbEncrypt 26-10-2009
 *
 * General operations for encrypting data
 *
 *
 *
 * Assumptions
 * -----------
 * Assumes that the PHP MCRYPT extension is loaded
 *
 *
 * Dependencies on other classes
 * -----------------------------
 *
 *
 * Modification list
 * -----------------
 * Mod.   By    When        Comment
 * ---    --    ------      -------
 * 001    BP    Sep 10      Add parameter to constructor to stop key generation by default
 *
 *
 */


class gbEncrypt {

     protected $algorithm;              // The algorithm to use

     protected $keySize;                // The key size
     protected $initVector;             // The initialisation vector
     protected $key;                    // The encryption key

     private   $handle;                 // Internal handle for the encryption routines
     private   $ivSize;                 // Initialisation vector size (chars)
     private   $blockSize;              // The block size used by the encryption cypher


     // ----- Constructor -----------------------------------------------------


     function __construct( $alreadyHaveKeys = false ) {

          $this->algorithm = MCRYPT_BLOWFISH;
          $this->keySize   = 256;
          $this->ivSize    = 8;
          $this->blockSize = 8;


          // 001
          //
          if ( $alreadyHaveKeys ) {
               $this->initVector = "";
               $this->key = "";
          }
          else{
               // Create a new initialisation vector. This does NOT need to be a secure
               // piece of information. It does not matter if the IV is sent with the data
               // as it often is. It is used to seed the generator and has no other
               // purpose
               //
               $this->setInitVector();

               // Create the encryption key. This WILL need to be kept secure and should
               // NOT travel with the data
               //
               $this->setKey();
          }

     }



     // ----- Setter and getter methods ---------------------------------------

     // Set the algorithm to use
     //
     function setAlgorithm( $p ) {
          $this->algorithm = strip_tags( $p );

     }

     // Set the parameter name to identify encrypted data
     //
     function setParamName( $p ) {
          $this->paramName = strip_tags( $p );
     }

     // Get the parameter name to identify encrypted data
     //
     function getParamName() {
          return $this->paramName;
     }


     // Set the initialisation vector
     //
     function setInitVector( $iv="" ) {

          if ( $iv == "" )
               $iv = $this->makeRandomString( $this->ivSize );

          if ( strlen($iv) != $this->ivSize )
               die("In " . __FILE__ . " at " . __LINE__ . " - Initialisation vector is wrong size (" . strlen($iv) . ") $iv");

          $this->initVector = $iv;
     }


     // Get the initialisation vector (8 bytes / 64 bits)
     //
     function getInitVector() {
          return $this->initVector;
     }


     // Set the encryption key
     //
     function setKey( $k="" ) {
          if ( $k == "")
               $this->key = $this->makeRandomString( ( $this->keySize / 8 ) );
          else
               $this->key = $k;
     }

     // Get the encryption key
     //
     function getKey() {
          return $this->key;
     }



     // ----- Private methods -------------------------------------------------


     // Makes a sting full of random characters
     //
     private function makeRandomString( $size ) {

          if ( ! is_numeric( $size ) )
               die( __FILE__. " at " . __LINE__ . " - Parameter is not numeric ($size)");

          $result = "";
          $data = "0123456789ABCDEFGHIJKLMNOPQRSTUVWYXZabcdefghijklmnopqrstuvwxyz";
          $dataLen = strlen( $data ) - 1;
          for ( $i=0; $i < $size; $i++ )

               $result .= $data[ mt_rand( 0, $dataLen )];

          return $result;
     }



     // ----- Public methods --------------------------------------------------



     // Encrypt a piece of data. The encryption has already been initialised and a key
     // generated
     //
     function encrypt( $data ) {

          // if the data's length is not a multiple of the block size then pad it out
          //
          $dataLen = strlen( $data );
          if ( ( $dataLen % $this->blockSize ) > 0  ) {
               $extra   = $this->blockSize - ( $dataLen % $this->blockSize );
               $data    = $data . str_pad(" ", $extra);
          }

          // The cypher mode is set to 'ecb'. The settings are as follows:
          //
          // - ECB (electronic codebook) is suitable for encrypting small amounts of data, such as credit card numbers.
          // - CBC (cipher block chaining) is suitable for encrypting large amounts of data, such as files.
          // - CFB (cipher feedback) is suitable for encrypting extremely small amount of data or encrypted streams
          //
          $this->handle = mcrypt_module_open($this->algorithm, '', 'ecb', '');

          mcrypt_generic_init( $this->handle, $this->key, $this->initVector );
          $encData = mcrypt_generic($this->handle, $data);
          mcrypt_generic_deinit( $this->handle );
          mcrypt_module_close( $this->handle );

          return $encData;
     }





     // Decrypt selected data and return it as plaintext
     //
     // Paremeters: $iv - the initialisation vector used in the original encryption (optional)
     //             $key - the encryption key
     //             $encData - the encrypted data to be converted to plain text
     //
     function decrypt( $encData, $key="", $iv="" ) {

          if ( $iv != "" )
               $this->initVector = $iv;

          if ( $key != "" )
               $this->key = $key;


          // Sanity checks

          if ( strlen( $this->initVector) != $this->ivSize )
               die( __FILE__ . " at " . __LINE__ . " - initialisation vector corrupt ($this->initVector)");

          if ( strlen( $this->key ) != ( $this->keySize / 8 ) )
               die( __FILE__ . " at " . __LINE__ . " - decryption key corrupt ($this->key)");


          if ( trim($encData) != "" ) {
               $this->handle = mcrypt_module_open($this->algorithm, '', 'ecb', '');
               mcrypt_generic_init( $this->handle, $this->key, $this->initVector );
               $data = mdecrypt_generic($this->handle, $encData);
               mcrypt_generic_deinit( $this->handle );
               mcrypt_module_close( $this->handle );
          }
          else
               $data = "";

          return $data;
     }


} // End of class gbEncrypt





// ----- Example of use -------------------------------------------------------
//


$encObj = new gbEncrypt();

$secretKey = $encObj->getKey();
$initVector = $encObj->getInitVector();

$data = "here is my data to encrypt and keep secret";

$encryptedData = $encObj->encrypt( $data );

echo "It looks like this $encryptedData";



// The class already has the key and init vector, but I could pass them in as additional
// parameters if I wanted to decrypted data I stored some time ago. It is usual to store
// the init vector with the data, but the secret key should be kept elsewhere
//
$clearText = $encObj->decrypt( $encryptedData );

echo "<br>And here is the clear text - $clearText";

//

Select allOpen in new window

wow this is really robust encryption class. much better then i ever used.

do i have premission to use it?

"do i have premission to use it?"

Of course. I wouldn't post it here otherwise.

It could do with being extended so that the cipher mode is selectable but ecb mode suits 99% of the data we encrypt here so......

One further thought. If you wish to encrypt selected data using this you can then combine it with Ray's suggestion to just use the standard session. Just remember to store the secret key somewhere safe.

well this was more and advice of operation and i got some really good ideas to choose from.
as an addition bport have a great encryption class.
that is a vry productive session:)

thanks bport:)