best place to store session on shared hosting?

hi
i am writing a session class and the default place php store the files is in the tmp directory.

i know i can change the location but the issue is where to store them if a shared hosting does not let you store things outside the root site folder?
i thought maybe to create a folder inside the tmp folder with a hard name.

what do you think is the best and secure place to store the sessions files?

best regards
LVL 1
derridaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TimBareCommented:
if you CAN'T place them in a directory outside of web root, make the name as obscure as possible, and make sure you have permissions set properly so that users can't browse to that folder.

Alternatively, look for a better web host that allows you to put files wherever you want in your home directory (bluehost, for example)...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TimBareCommented:
additionally, it may help to put them a few levels deep, ex:
/public_html/443f08b7b63a58fb507675d08d39751a/6a204bd89f3c8348afd5c77c717a097a/67af10d3c47bfcc9257483c03e415c73/

Open in new window

To get the strings, i just put gibberish into an online MD5 generator ....
0
Beverley PortlockCommented:
Either put them in the database (see http://shiflett.org/articles/storing-sessions-in-a-database ) or create a folder in the website and put the session files in there and protect via Apache / .htaccess with

Order Deny,Allow
Deny from All
0
C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

Ray PaseurCommented:
I would not waste any time on this at all.

Use session_start() at the top of all the scripts.  Place anything you want in the $_SESSION array, and expect to find it there for the duration of the client session.  Problem solved.

Now if there is some other reason why you are concerned, like maybe you do not trust the hosting company or the other users of the hosting service, then you should move to a new host ASAP.

0
derridaAuthor Commented:
hi

first thanks for the answers. so many options to consider. the most unexpected is Ray`s approach.
how can i know if i can trust other users of the hosting service ? that is why it seems like a good security measure to protect the session.

do you really just start the session and do not use any security measure for it?
0
Ray PaseurCommented:
Yes, that is what I do.  But I also treat the session as external and tainted data.  In other words, I filter its contents just like I would filter POST data from a form.  You can make this more complicated, but you do not have to unless you are handling critical data, like electronic funds.  And if that is the case, then you probably want to be on an isolated server in a SCIF vault.  Security is a moving target, and the breadth of the issue is illustrated by the fact that the University of Maryland now offers a full time four year Bachelor of Science degree in IT security.  Protecting your session is a good idea, and the operating environment can do that for you, but it is only a small part of a much, much bigger picture.
0
derridaAuthor Commented:
obviously you do not want to store critical data in a session but the issue is what you consider  to be a critical data? some data is obviously critical but what about lets say a user id or username fore the sake of a simple login mechanism? and some may say, since we can controll the expiration time of the session its not a huge security issue. not sure where i stand on the issue, but if you work on a site that is already on a shared hosting would you not try to be as secure as possible?

by the way, always nice to hear you contribute to my question.

and sorry is i make mistakes with my english.
0
Beverley PortlockCommented:
Ray has a point about making a judgement on the expected threat levels. Obviously if the data is of low value then any threat against it should also be rated as low. Once money gets involved then things change.

If shared hosting is your concern then moving the sessions out of their normal dumping ground of /tmp or /var/lib/php and placing them within the website folder or in the database will solve most of that issue with little effort on your part. Sensitive data can always be encrypted before placing it in the session and both Ray and I have posted code on EE on how to do this - Ray even has a class for it somewhere.
0
derridaAuthor Commented:
hi
thanks for the answer. how can i see what you or ray wrote? i tried to searched it but could not found.
what i do already is encryption of even simple data. maybe i`m trying too mush:)
0
Beverley PortlockCommented:
OK - here's a class from our code library. You can either supply it with your own keys or let it generate its own. I prefer to let it generate its own keys as they are random.


<?php
/*
 * gbEncrypt 26-10-2009
 *
 * General operations for encrypting data
 *
 *
 *
 * Assumptions
 * -----------
 * Assumes that the PHP MCRYPT extension is loaded
 *
 *
 * Dependencies on other classes
 * -----------------------------
 *
 *
 * Modification list
 * -----------------
 * Mod.   By    When        Comment
 * ---    --    ------      -------
 * 001    BP    Sep 10      Add parameter to constructor to stop key generation by default
 *
 *
 */


class gbEncrypt {

     protected $algorithm;              // The algorithm to use

     protected $keySize;                // The key size
     protected $initVector;             // The initialisation vector
     protected $key;                    // The encryption key

     private   $handle;                 // Internal handle for the encryption routines
     private   $ivSize;                 // Initialisation vector size (chars)
     private   $blockSize;              // The block size used by the encryption cypher


     // ----- Constructor -----------------------------------------------------


     function __construct( $alreadyHaveKeys = false ) {

          $this->algorithm = MCRYPT_BLOWFISH;
          $this->keySize   = 256;
          $this->ivSize    = 8;
          $this->blockSize = 8;


          // 001
          //
          if ( $alreadyHaveKeys ) {
               $this->initVector = "";
               $this->key = "";
          }
          else{
               // Create a new initialisation vector. This does NOT need to be a secure
               // piece of information. It does not matter if the IV is sent with the data
               // as it often is. It is used to seed the generator and has no other
               // purpose
               //
               $this->setInitVector();

               // Create the encryption key. This WILL need to be kept secure and should
               // NOT travel with the data
               //
               $this->setKey();
          }

     }



     // ----- Setter and getter methods ---------------------------------------

     // Set the algorithm to use
     //
     function setAlgorithm( $p ) {
          $this->algorithm = strip_tags( $p );

     }

     // Set the parameter name to identify encrypted data
     //
     function setParamName( $p ) {
          $this->paramName = strip_tags( $p );
     }

     // Get the parameter name to identify encrypted data
     //
     function getParamName() {
          return $this->paramName;
     }


     // Set the initialisation vector
     //
     function setInitVector( $iv="" ) {

          if ( $iv == "" )
               $iv = $this->makeRandomString( $this->ivSize );

          if ( strlen($iv) != $this->ivSize )
               die("In " . __FILE__ . " at " . __LINE__ . " - Initialisation vector is wrong size (" . strlen($iv) . ") $iv");

          $this->initVector = $iv;
     }


     // Get the initialisation vector (8 bytes / 64 bits)
     //
     function getInitVector() {
          return $this->initVector;
     }


     // Set the encryption key
     //
     function setKey( $k="" ) {
          if ( $k == "")
               $this->key = $this->makeRandomString( ( $this->keySize / 8 ) );
          else
               $this->key = $k;
     }

     // Get the encryption key
     //
     function getKey() {
          return $this->key;
     }



     // ----- Private methods -------------------------------------------------


     // Makes a sting full of random characters
     //
     private function makeRandomString( $size ) {

          if ( ! is_numeric( $size ) )
               die( __FILE__. " at " . __LINE__ . " - Parameter is not numeric ($size)");

          $result = "";
          $data = "0123456789ABCDEFGHIJKLMNOPQRSTUVWYXZabcdefghijklmnopqrstuvwxyz";
          $dataLen = strlen( $data ) - 1;
          for ( $i=0; $i < $size; $i++ )

               $result .= $data[ mt_rand( 0, $dataLen )];

          return $result;
     }



     // ----- Public methods --------------------------------------------------



     // Encrypt a piece of data. The encryption has already been initialised and a key
     // generated
     //
     function encrypt( $data ) {

          // if the data's length is not a multiple of the block size then pad it out
          //
          $dataLen = strlen( $data );
          if ( ( $dataLen % $this->blockSize ) > 0  ) {
               $extra   = $this->blockSize - ( $dataLen % $this->blockSize );
               $data    = $data . str_pad(" ", $extra);
          }

          // The cypher mode is set to 'ecb'. The settings are as follows:
          //
          // - ECB (electronic codebook) is suitable for encrypting small amounts of data, such as credit card numbers.
          // - CBC (cipher block chaining) is suitable for encrypting large amounts of data, such as files.
          // - CFB (cipher feedback) is suitable for encrypting extremely small amount of data or encrypted streams
          //
          $this->handle = mcrypt_module_open($this->algorithm, '', 'ecb', '');

          mcrypt_generic_init( $this->handle, $this->key, $this->initVector );
          $encData = mcrypt_generic($this->handle, $data);
          mcrypt_generic_deinit( $this->handle );
          mcrypt_module_close( $this->handle );

          return $encData;
     }





     // Decrypt selected data and return it as plaintext
     //
     // Paremeters: $iv - the initialisation vector used in the original encryption (optional)
     //             $key - the encryption key
     //             $encData - the encrypted data to be converted to plain text
     //
     function decrypt( $encData, $key="", $iv="" ) {

          if ( $iv != "" )
               $this->initVector = $iv;

          if ( $key != "" )
               $this->key = $key;


          // Sanity checks

          if ( strlen( $this->initVector) != $this->ivSize )
               die( __FILE__ . " at " . __LINE__ . " - initialisation vector corrupt ($this->initVector)");

          if ( strlen( $this->key ) != ( $this->keySize / 8 ) )
               die( __FILE__ . " at " . __LINE__ . " - decryption key corrupt ($this->key)");


          if ( trim($encData) != "" ) {
               $this->handle = mcrypt_module_open($this->algorithm, '', 'ecb', '');
               mcrypt_generic_init( $this->handle, $this->key, $this->initVector );
               $data = mdecrypt_generic($this->handle, $encData);
               mcrypt_generic_deinit( $this->handle );
               mcrypt_module_close( $this->handle );
          }
          else
               $data = "";

          return $data;
     }


} // End of class gbEncrypt





// ----- Example of use -------------------------------------------------------
//


$encObj = new gbEncrypt();

$secretKey = $encObj->getKey();
$initVector = $encObj->getInitVector();

$data = "here is my data to encrypt and keep secret";

$encryptedData = $encObj->encrypt( $data );

echo "It looks like this $encryptedData";



// The class already has the key and init vector, but I could pass them in as additional
// parameters if I wanted to decrypted data I stored some time ago. It is usual to store
// the init vector with the data, but the secret key should be kept elsewhere
//
$clearText = $encObj->decrypt( $encryptedData );

echo "<br>And here is the clear text - $clearText";

//

Open in new window

0
derridaAuthor Commented:
wow this is really robust encryption class. much better then i ever used.

do i have premission to use it?
0
Beverley PortlockCommented:
"do i have premission to use it?"

Of course. I wouldn't post it here otherwise.

It could do with being extended so that the cipher mode is selectable but ecb mode suits 99% of the data we encrypt here so......
0
Beverley PortlockCommented:
One further thought. If you wish to encrypt selected data using this you can then combine it with Ray's suggestion to just use the standard session. Just remember to store the secret key somewhere safe.
0
derridaAuthor Commented:
well this was more and advice of operation and i got some really good ideas to choose from.
as an addition bport have a great encryption class.
that is a vry productive session:)
0
derridaAuthor Commented:
thanks bport:)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.