Solved

best place to store session on shared hosting?

Posted on 2011-03-07
15
303 Views
Last Modified: 2012-08-13
hi
i am writing a session class and the default place php store the files is in the tmp directory.

i know i can change the location but the issue is where to store them if a shared hosting does not let you store things outside the root site folder?
i thought maybe to create a folder inside the tmp folder with a hard name.

what do you think is the best and secure place to store the sessions files?

best regards
0
Comment
Question by:derrida
  • 6
  • 5
  • 2
  • +1
15 Comments
 
LVL 2

Accepted Solution

by:
TimBare earned 167 total points
ID: 35059744
if you CAN'T place them in a directory outside of web root, make the name as obscure as possible, and make sure you have permissions set properly so that users can't browse to that folder.

Alternatively, look for a better web host that allows you to put files wherever you want in your home directory (bluehost, for example)...
0
 
LVL 2

Expert Comment

by:TimBare
ID: 35059773
additionally, it may help to put them a few levels deep, ex:
/public_html/443f08b7b63a58fb507675d08d39751a/6a204bd89f3c8348afd5c77c717a097a/67af10d3c47bfcc9257483c03e415c73/

Open in new window

To get the strings, i just put gibberish into an online MD5 generator ....
0
 
LVL 34

Assisted Solution

by:Beverley Portlock
Beverley Portlock earned 166 total points
ID: 35061311
Either put them in the database (see http://shiflett.org/articles/storing-sessions-in-a-database ) or create a folder in the website and put the session files in there and protect via Apache / .htaccess with

Order Deny,Allow
Deny from All
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 35062354
I would not waste any time on this at all.

Use session_start() at the top of all the scripts.  Place anything you want in the $_SESSION array, and expect to find it there for the duration of the client session.  Problem solved.

Now if there is some other reason why you are concerned, like maybe you do not trust the hosting company or the other users of the hosting service, then you should move to a new host ASAP.

0
 
LVL 1

Author Comment

by:derrida
ID: 35065928
hi

first thanks for the answers. so many options to consider. the most unexpected is Ray`s approach.
how can i know if i can trust other users of the hosting service ? that is why it seems like a good security measure to protect the session.

do you really just start the session and do not use any security measure for it?
0
 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 167 total points
ID: 35065983
Yes, that is what I do.  But I also treat the session as external and tainted data.  In other words, I filter its contents just like I would filter POST data from a form.  You can make this more complicated, but you do not have to unless you are handling critical data, like electronic funds.  And if that is the case, then you probably want to be on an isolated server in a SCIF vault.  Security is a moving target, and the breadth of the issue is illustrated by the fact that the University of Maryland now offers a full time four year Bachelor of Science degree in IT security.  Protecting your session is a good idea, and the operating environment can do that for you, but it is only a small part of a much, much bigger picture.
0
 
LVL 1

Author Comment

by:derrida
ID: 35066032
obviously you do not want to store critical data in a session but the issue is what you consider  to be a critical data? some data is obviously critical but what about lets say a user id or username fore the sake of a simple login mechanism? and some may say, since we can controll the expiration time of the session its not a huge security issue. not sure where i stand on the issue, but if you work on a site that is already on a shared hosting would you not try to be as secure as possible?

by the way, always nice to hear you contribute to my question.

and sorry is i make mistakes with my english.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 34

Expert Comment

by:Beverley Portlock
ID: 35068091
Ray has a point about making a judgement on the expected threat levels. Obviously if the data is of low value then any threat against it should also be rated as low. Once money gets involved then things change.

If shared hosting is your concern then moving the sessions out of their normal dumping ground of /tmp or /var/lib/php and placing them within the website folder or in the database will solve most of that issue with little effort on your part. Sensitive data can always be encrypted before placing it in the session and both Ray and I have posted code on EE on how to do this - Ray even has a class for it somewhere.
0
 
LVL 1

Author Comment

by:derrida
ID: 35068170
hi
thanks for the answer. how can i see what you or ray wrote? i tried to searched it but could not found.
what i do already is encryption of even simple data. maybe i`m trying too mush:)
0
 
LVL 34

Expert Comment

by:Beverley Portlock
ID: 35068383
OK - here's a class from our code library. You can either supply it with your own keys or let it generate its own. I prefer to let it generate its own keys as they are random.


<?php
/*
 * gbEncrypt 26-10-2009
 *
 * General operations for encrypting data
 *
 *
 *
 * Assumptions
 * -----------
 * Assumes that the PHP MCRYPT extension is loaded
 *
 *
 * Dependencies on other classes
 * -----------------------------
 *
 *
 * Modification list
 * -----------------
 * Mod.   By    When        Comment
 * ---    --    ------      -------
 * 001    BP    Sep 10      Add parameter to constructor to stop key generation by default
 *
 *
 */


class gbEncrypt {

     protected $algorithm;              // The algorithm to use

     protected $keySize;                // The key size
     protected $initVector;             // The initialisation vector
     protected $key;                    // The encryption key

     private   $handle;                 // Internal handle for the encryption routines
     private   $ivSize;                 // Initialisation vector size (chars)
     private   $blockSize;              // The block size used by the encryption cypher


     // ----- Constructor -----------------------------------------------------


     function __construct( $alreadyHaveKeys = false ) {

          $this->algorithm = MCRYPT_BLOWFISH;
          $this->keySize   = 256;
          $this->ivSize    = 8;
          $this->blockSize = 8;


          // 001
          //
          if ( $alreadyHaveKeys ) {
               $this->initVector = "";
               $this->key = "";
          }
          else{
               // Create a new initialisation vector. This does NOT need to be a secure
               // piece of information. It does not matter if the IV is sent with the data
               // as it often is. It is used to seed the generator and has no other
               // purpose
               //
               $this->setInitVector();

               // Create the encryption key. This WILL need to be kept secure and should
               // NOT travel with the data
               //
               $this->setKey();
          }

     }



     // ----- Setter and getter methods ---------------------------------------

     // Set the algorithm to use
     //
     function setAlgorithm( $p ) {
          $this->algorithm = strip_tags( $p );

     }

     // Set the parameter name to identify encrypted data
     //
     function setParamName( $p ) {
          $this->paramName = strip_tags( $p );
     }

     // Get the parameter name to identify encrypted data
     //
     function getParamName() {
          return $this->paramName;
     }


     // Set the initialisation vector
     //
     function setInitVector( $iv="" ) {

          if ( $iv == "" )
               $iv = $this->makeRandomString( $this->ivSize );

          if ( strlen($iv) != $this->ivSize )
               die("In " . __FILE__ . " at " . __LINE__ . " - Initialisation vector is wrong size (" . strlen($iv) . ") $iv");

          $this->initVector = $iv;
     }


     // Get the initialisation vector (8 bytes / 64 bits)
     //
     function getInitVector() {
          return $this->initVector;
     }


     // Set the encryption key
     //
     function setKey( $k="" ) {
          if ( $k == "")
               $this->key = $this->makeRandomString( ( $this->keySize / 8 ) );
          else
               $this->key = $k;
     }

     // Get the encryption key
     //
     function getKey() {
          return $this->key;
     }



     // ----- Private methods -------------------------------------------------


     // Makes a sting full of random characters
     //
     private function makeRandomString( $size ) {

          if ( ! is_numeric( $size ) )
               die( __FILE__. " at " . __LINE__ . " - Parameter is not numeric ($size)");

          $result = "";
          $data = "0123456789ABCDEFGHIJKLMNOPQRSTUVWYXZabcdefghijklmnopqrstuvwxyz";
          $dataLen = strlen( $data ) - 1;
          for ( $i=0; $i < $size; $i++ )

               $result .= $data[ mt_rand( 0, $dataLen )];

          return $result;
     }



     // ----- Public methods --------------------------------------------------



     // Encrypt a piece of data. The encryption has already been initialised and a key
     // generated
     //
     function encrypt( $data ) {

          // if the data's length is not a multiple of the block size then pad it out
          //
          $dataLen = strlen( $data );
          if ( ( $dataLen % $this->blockSize ) > 0  ) {
               $extra   = $this->blockSize - ( $dataLen % $this->blockSize );
               $data    = $data . str_pad(" ", $extra);
          }

          // The cypher mode is set to 'ecb'. The settings are as follows:
          //
          // - ECB (electronic codebook) is suitable for encrypting small amounts of data, such as credit card numbers.
          // - CBC (cipher block chaining) is suitable for encrypting large amounts of data, such as files.
          // - CFB (cipher feedback) is suitable for encrypting extremely small amount of data or encrypted streams
          //
          $this->handle = mcrypt_module_open($this->algorithm, '', 'ecb', '');

          mcrypt_generic_init( $this->handle, $this->key, $this->initVector );
          $encData = mcrypt_generic($this->handle, $data);
          mcrypt_generic_deinit( $this->handle );
          mcrypt_module_close( $this->handle );

          return $encData;
     }





     // Decrypt selected data and return it as plaintext
     //
     // Paremeters: $iv - the initialisation vector used in the original encryption (optional)
     //             $key - the encryption key
     //             $encData - the encrypted data to be converted to plain text
     //
     function decrypt( $encData, $key="", $iv="" ) {

          if ( $iv != "" )
               $this->initVector = $iv;

          if ( $key != "" )
               $this->key = $key;


          // Sanity checks

          if ( strlen( $this->initVector) != $this->ivSize )
               die( __FILE__ . " at " . __LINE__ . " - initialisation vector corrupt ($this->initVector)");

          if ( strlen( $this->key ) != ( $this->keySize / 8 ) )
               die( __FILE__ . " at " . __LINE__ . " - decryption key corrupt ($this->key)");


          if ( trim($encData) != "" ) {
               $this->handle = mcrypt_module_open($this->algorithm, '', 'ecb', '');
               mcrypt_generic_init( $this->handle, $this->key, $this->initVector );
               $data = mdecrypt_generic($this->handle, $encData);
               mcrypt_generic_deinit( $this->handle );
               mcrypt_module_close( $this->handle );
          }
          else
               $data = "";

          return $data;
     }


} // End of class gbEncrypt





// ----- Example of use -------------------------------------------------------
//


$encObj = new gbEncrypt();

$secretKey = $encObj->getKey();
$initVector = $encObj->getInitVector();

$data = "here is my data to encrypt and keep secret";

$encryptedData = $encObj->encrypt( $data );

echo "It looks like this $encryptedData";



// The class already has the key and init vector, but I could pass them in as additional
// parameters if I wanted to decrypted data I stored some time ago. It is usual to store
// the init vector with the data, but the secret key should be kept elsewhere
//
$clearText = $encObj->decrypt( $encryptedData );

echo "<br>And here is the clear text - $clearText";

//

Open in new window

0
 
LVL 1

Author Comment

by:derrida
ID: 35068483
wow this is really robust encryption class. much better then i ever used.

do i have premission to use it?
0
 
LVL 34

Expert Comment

by:Beverley Portlock
ID: 35068529
"do i have premission to use it?"

Of course. I wouldn't post it here otherwise.

It could do with being extended so that the cipher mode is selectable but ecb mode suits 99% of the data we encrypt here so......
0
 
LVL 34

Expert Comment

by:Beverley Portlock
ID: 35068552
One further thought. If you wish to encrypt selected data using this you can then combine it with Ray's suggestion to just use the standard session. Just remember to store the secret key somewhere safe.
0
 
LVL 1

Author Closing Comment

by:derrida
ID: 35068606
well this was more and advice of operation and i got some really good ideas to choose from.
as an addition bport have a great encryption class.
that is a vry productive session:)
0
 
LVL 1

Author Comment

by:derrida
ID: 35068615
thanks bport:)
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Introduction HTML checkboxes provide the perfect way for a web developer to receive client input when the client's options might be none, one or many.  But the PHP code for processing the checkboxes can be confusing at first.  What if a checkbox is…
Deprecated and Headed for the Dustbin By now, you have probably heard that some PHP features, while convenient, can also cause PHP security problems.  This article discusses one of those, called register_globals.  It is a thing you do not want.  …
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now