Maugrim_The_Reaper wrote:
Quote:
Here is the thing, it serves absolutely no security service like it was intended. All the session handler the game does, in this instance, is move the session information from files stored in the tmp directory on the server to a database table and storing the serialized and encrypted data. A person would have to have root access to the server or have hacked the server to get to the information in the tmp directory where the session files are normally stored.
And if they have hacked the server to get to that information they can just as easily pull the data from the database session table and decrypt it on the server.
Even though the session data is stored in the database tables in an encrypted format it is NOT encrypted in the session variables used by PHP. So the only real security is in storing it on the hard drive and that information
That is so not true - a 6 year old on quite a few hosts can access the /tmp directory with ease. I think it just might have something to with the fact that /tmp is not exactly something you need to be root in order to access. Now I might be wrong - perhaps there's a mutant Linux or Unix version in existence which blocks users from accessing /tmp unless they are root.
This is true anyone can access the directory but the files in that directory can only be accessed bu the users or groups that have been assigned to those files. Exactly the same way as any other file on the server. Just because the directory is shared doesn't mean that the files assume the directories attributes. That does not happen in the tmp directory for the session files.
Maugrim_The_Reaper wrote:
I note that "shared" hosts typically means many users "share" the same server. Surely that should at the very least offer a clue as to just how essential it is to realise /tmp stored sessions are only as secure as the morals of the users sharing a server with you...
Actually that is not true. If you have shared hosts on the same box then each host will have different user id for accessing the session data. Also, if a user is able to FTP in and access the session data for any of the shared hosts then the server is WIDE open to that user. Actually the server would have to be specifically configured to allow that to happen.
Maugrim_The_Reaper wrote:
Storing on a database is a highly secure method of managing sessions. You seem to neglect the fact that a decent session handler should have a GC running - so its not like the DB sessions are staying around forever. It's also the only method I can think of for decent load management between servers while maintaining SESSION data...
Actually Garbage Collection is running even on data stored in the temp directory by the default session handler. It is no different from using a database session handler. The data is expunged after a set period of time. Actually, it does not help with load management at all. There is far more overhead using a database managed session handler than the default one. The only ADVANTAGE for using a database managed session handler is to allow a user to access multiple sites on the server using the same session id. Otherwise a different session id would be created for each site.
Maugrim_The_Reaper wrote:
Again - /tmp file sessions do not require a server hacking nor root access in order to be misused. If a host is disabling a session handler for some extremely odd reason I would find it one really suspicious action on their part... I suppose it is possible the problem is less with handlers and more with ADODB's implementation (or even how NGS included them). Why a host would have issues with storing a session to DB is beyond me...
Actually they do need root access or the same access that has been assigned to the files by the orginator of the files. Some hosts will not allow the session handler to be changed from what they allow. Kind of like how some companies will not allow the use of cron tasks for security reasons. They like to keep control over those things on their end.
I think everyone who has ever had a login loop problem with other forks of the game will find that it is usually caused by changing the session handler to use a database.
Maugrim_The_Reaper wrote:
Sorry for the ramble - but not everyone is restricted (or fortunate depending) to have a dedicated server. The rest of us either use shared hosting or have multiple servers in need of load balancing... That means we NEED the session handler and its removal only leaves us with the option of hacking it back.
Actually, you do not need the session handler and the game never has needed it. It is unneeded overhead. If you think that most shared hosting servers are that vulnerable then they should be having massive problems with hackers and that would cause alot of news stories about it. If the built in session handler was as insecure as you are claiming then there would be massive security problems being reported all of the time on most news sites.
Also, if a person has FTP access that allows them to read the session files that are stored in the tmp directory then they can install a SIMPLE PHP program on the site that will pull out all session data from the database in decoded form. They would get a nice list of all the variables and the data that was stored in the database. Just install the program under an innocuous name in the web folder and call it on a regular bases to dump and unencrypt the stored session data.
Honestly, if you look at it from a HACKERS point of view storing the information in a database file in an encoded form is far less secure. Especially when using the ADOdb session handler as all the code that is needed to unencode the data and dump it is right there. A generic program can be created that could be installed on ANY server using ADOdb's session handler and dump the completely unencoded session data at any time.