phpsecuritysessionsession-hijackingsuphp

suPHP Security With Sessions


I am trying to better understand suPHP.

I have obviously found the suPHP documentation on google, and have found the generic answers for what it is and does, but I am confused on how it can help with session security and preventing session hijacking.

If anyone could clarify this for me, I'd be grateful. Google isn't yielding any good results!


Solution

  • suphp isolates PHP processes on shared hosting. It allows to run scripts on each virtual host under a different user account.

    Which aids security by making the session store inaccessible to shared accounts on the same server. Occasionally a world-readable directory (see session_save_path) might be used by PHPs session handler to store the serialized $_SESSION blob. (For example /tmp/session/ which is a subpar configuration to begin with). With suphp this is constrained.

    However this doesn't help with session hijacking it all, as that originates from HTTP packet sniffing, or cross-site scripting exploits. Local access or just reading out the session store directory is a possible vector for session replay attacks, but a seldom one.