PHP Session Security on Cloud Hosting

I know that on regular shared hosting, storing PHP sessions in the default location (/tmp) may present security issues. A VPS does not have this issue. Therefore, I assume VPS cloud hosting does not. But what about regular cloud hosting? Is that just shared hosting over multiple computers, meaning that PHP sessions would still be vulnerable to the prying eyes of other webhosting clients on that cloud? Or is there something different abo开发者_开发技巧ut (non-VPS) cloud hosting that protects from PHP session storage location vulnerabilities?

Shared hosting simply means that your web hosting provider places multiple web sites on a single server.

Cloud hosting uses the same concept and is in reality just another type of shared hosting, but with greater upwards and downwards scalability.

One issue with shared hosting is that within the context of a single server, there is a fixed amount of physical space. Although the hosting provider will provision their servers in such a way that you don’t run into capacity problems, the issue still remains. Cloud hosting removes that possibility by replacing the concept of the individual physical server, with that of a virtualized and highly scalable infrastructure.

But the security is still a concern in cloud hosting. The only difference is that your files are stored in multiple servers. And you do not know and trust where the files are stored. So for better session handling and security I will advice you to use database to store and manage sessions for the following reasons.

1. Only you have access to the session data.In shared hosting this can help you a lot.

2. Each server will have its own directory where these session files are maintained, so if you are employing load balancing across multiple servers there is no guarantee that a request for an existing session will be given to the server which is maintaining the state for that session.

3. It would be difficult for a site administrator to perform such queries as "how many sessions are currently active?" or "which users are currently logged in?".But if you are storing in the database then you can track.

4. The application needs to be able to run on multiple servers without server affinity.

Here is a great article about storing sessions in database by Chris Shiflett.

Hope it helps.

I could be wrong, but most "cloud hosting" services, as in not a "VPS" service, is just shared hosting on a cloud server that the host scales up as needed.

The only time I find storing sessions in, say for example "/temp", secure, is when I'm the only the only person using the server.