Saving session data securely in PHP

I was trying to understand how sessions wor开发者_运维知识库k in PHP and found that session data is by default stored in the file system. In a shared hosting environment, session data can be read by PHP scripts written by any user. How can this be prevented ?

You can override the session save handler for your script to use something other than the filesystem, such as a database or memcache. Here is a detailed implementation: http://phpsec.org/projects/guide/5.html

Depends on the level of access you have to the php.ini file - if you're on a Shared Hosting environment which runs suPHP and allows you to have your own php.ini file (for instance) then you can simply set the session.save_path to a path like ~/tmp instead of /tmp which is usually shared.

To begin with though, I don't think that you actually CAN read php session data from other applications. I believe it's something rather unique to the person viewing it.

Finally php Session data is not solely file system saved only. It can also be setup to save in a cookie on the user's machine or you can setup php session data to be stored in a database.

Write your own SESSION wrapper.

For example CodeIgniter's session library doe's not depend on PHP's native one and it's more secure:

Note: The Session class does not utilize native PHP sessions. It generates its own session data, offering more flexibility for developers.

You can use session_save_path() to change the session data directory to one that isn't shared.

Use session_save_path() and change your session folder like "/htdocs/storage/sessions". Now sessions only saved to your given path.