Introduction
A shared hosting environment offers interesting concerns for all parties involved with Sessions being no different. This tip is specific for PHP but the principles apply to other languages as well.
Before moving on it's highly recommended to first read the following PHP manual pages (not just skim, or read parts, but actually read!):
INI Directives
Tips on various PHP Session related directives
session.save_path
- By default (for ASO shared hosting environments) set to /tmp meaning session files are saved here for all users of the hosting server/computer.
- This makes it easy/possible for other users to peak in on (steal) this session data, and hijack sessions
Consider setting this directive to a path like
/home/yourusername/tmp Instructions for doing this will later be added to this tip but essentially:
- Be sure the path exists (by creating it in FTP or SSH)
- Since session.save_path is PHP_INI_ALL it can be set either:
- In the PHP script itself using session_save_path∞() or ini_set()
- Or in .htaccess
- Or in php.ini
- Setting to a home path also affects disk usage but typically these files are small
Notes
This tip is incomplete but useful as is. In the future additional content should exist here.
There are no comments on this page. [Add comment]