Home About Articles Contact Library Projects

Consortium News

Fri, 20 Oct 2006
PHP Security Consortium Launches New Project - PHPSecInfo

Wed, 16 Nov 2005
Daniel Convissor Elected as Principal

Promotional Links

Please support us by providing a link to the PHP Security Consortium on your web site. You can also use our promotional image:

PhpSecInfo Test Information

save_path

Test Description

Checks if the current save_path is a world readable or writable folder, and if it matches the common UNIX system temp directory.

Security Implications

This setting specifies where session files should be saved when using the default session handler. This must be a document outside the document root, and should only be accessible by the web user to prevent other users on the system from investigating your users sessions.

This setting should be unique on a virtual host basis when those virtual hosts are controlled by different entities (such as a shared host situation) to prevent sites from reading each others sessions.

Recommendations

Set save_path to a folder that is:

outside the document root of your web site
not readable or writable by any other system users

You can set save_path in the php.ini file:

; Set save_path to a safe location
session.save_path = /var/www/foo.bar/sessions

The setting can also be applied in apache's httpd.conf file, or an .htaccess file:

# Set save_path to a safe location
php_value    session.save_path    /var/www/foo.bar/sessions

More Information

PHP.net manual: session.save_path

« Test information index

Get PhpSecInfo

Download Now »

Version: 0.2.1 20070406
md5 hash

Documentation

Mailing List »

Screenshots:

PhpSecInfo screenshot

PhpSecInfo screenshot