Consortium News
Promotional Links
Please support us by providing a link to the PHP Security Consortium on your web site. You can also use our promotional image:

PhpSecInfo Test Information

save_path

Test Description

Checks if the current save_path is a world readable or writable folder, and if it matches the common UNIX system temp directory.

Security Implications

This setting specifies where session files should be saved when using the default session handler. This must be a document outside the document root, and should only be accessible by the web user to prevent other users on the system from investigating your users sessions.

This setting should be unique on a virtual host basis when those virtual hosts are controlled by different entities (such as a shared host situation) to prevent sites from reading each others sessions.

Recommendations

Set save_path to a folder that is:

  • outside the document root of your web site
  • not readable or writable by any other system users

You can set save_path in the php.ini file:

; Set save_path to a safe location
session.save_path = /var/www/foo.bar/sessions

The setting can also be applied in apache's httpd.conf file, or an .htaccess file:

# Set save_path to a safe location
php_value    session.save_path    /var/www/foo.bar/sessions

More Information

« Test information index

Get PhpSecInfo