Sponsor:

Server and Web Integrator
Link:
Kloxo-MR logo
6.5.0 or 7.0.0
Click for "How to install"
Donation/Sponsorship:
Kloxo-MR is open-source.
Donate and or Sponsorship always welcome.
Click to:
Click Here
Please login or register. 2024-03-29, 07:44:42

Author Topic: php session, per user, home directory  (Read 6501 times)

0 Members and 1 Guest are viewing this topic.

Offline chrisf

  • Senior Master
  • **
  • Posts: 883
  • Karma: +11/-1
  • Gender: Male
  • Be the change that you wish to see in the world.
    • View Profile
    • Conviction's Hosting
php session, per user, home directory
« on: 2014-07-19, 00:42:49 »
Mustafa,

After a security audit of one of our production servers I was informed of the GREAT potential of session hijacking by having all users session dir sent to one dir.

It would be easy with the php-fpm setup to point the session dir to /home/{user}/session and add this directory to the skeleton or add it's creation during new user creation.

I would consider this, it makes php even more secure and seperate from each user.
Christopher

Knowledge in: PHP, Perl, MySQL, Javascript, Actionscript, FLASH, HTML, CSS
Server Administrator / Developer: https://convictionshosting.com

Offline chrisf

  • Senior Master
  • **
  • Posts: 883
  • Karma: +11/-1
  • Gender: Male
  • Be the change that you wish to see in the world.
    • View Profile
    • Conviction's Hosting
Re: php session, per user, home directory
« Reply #1 on: 2014-07-28, 01:17:15 »
Have you considered this Mustafa?
Christopher

Knowledge in: PHP, Perl, MySQL, Javascript, Actionscript, FLASH, HTML, CSS
Server Administrator / Developer: https://convictionshosting.com

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: php session, per user, home directory
« Reply #2 on: 2014-07-28, 05:29:08 »
Session inside /home/httpd/<user>. Need update php config for every users in panel.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline chrisf

  • Senior Master
  • **
  • Posts: 883
  • Karma: +11/-1
  • Gender: Male
  • Be the change that you wish to see in the world.
    • View Profile
    • Conviction's Hosting
Re: php session, per user, home directory
« Reply #3 on: 2014-07-28, 23:28:03 »
I have latest 6.5.1b and run cleanup.  No change for session for php.
Christopher

Knowledge in: PHP, Perl, MySQL, Javascript, Actionscript, FLASH, HTML, CSS
Server Administrator / Developer: https://convictionshosting.com

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: php session, per user, home directory
« Reply #4 on: 2014-07-29, 07:51:38 »
Go to 'Advanced php configure' in every client and then click 'update'.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline chrisf

  • Senior Master
  • **
  • Posts: 883
  • Karma: +11/-1
  • Gender: Male
  • Be the change that you wish to see in the world.
    • View Profile
    • Conviction's Hosting
Re: php session, per user, home directory
« Reply #5 on: 2014-07-30, 04:14:21 »
Every client?  What?  Why fixphp not do this?
Christopher

Knowledge in: PHP, Perl, MySQL, Javascript, Actionscript, FLASH, HTML, CSS
Server Administrator / Developer: https://convictionshosting.com

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: php session, per user, home directory
« Reply #6 on: 2014-07-30, 08:44:41 »
Because each client (user in php context) have their php config.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline chrisf

  • Senior Master
  • **
  • Posts: 883
  • Karma: +11/-1
  • Gender: Male
  • Be the change that you wish to see in the world.
    • View Profile
    • Conviction's Hosting
Re: php session, per user, home directory
« Reply #7 on: 2014-08-04, 06:49:53 »
Updating in php advanced per client doesn't change anything.  There appears to be no change to anything at all
Christopher

Knowledge in: PHP, Perl, MySQL, Javascript, Actionscript, FLASH, HTML, CSS
Server Administrator / Developer: https://convictionshosting.com

Offline chrisf

  • Senior Master
  • **
  • Posts: 883
  • Karma: +11/-1
  • Gender: Male
  • Be the change that you wish to see in the world.
    • View Profile
    • Conviction's Hosting
Re: php session, per user, home directory
« Reply #8 on: 2014-08-04, 07:50:29 »
Mustafa, this is easiest way to implement this feature.

In php53-fpm-pool.conf.tpl you have 2 of the same lines:
Code: [Select]
php_admin_value[session.save_path] = <?php echo $session_save_path_flag?>

Remove the first one, then change:
Code: [Select]
php_admin_value[max_input_vars] = <?php echo $max_input_vars_flag?>

php_admin_value[session.save_path] = <?php echo $session_save_path_flag;

change to:
Code: [Select]
php_admin_value[max_input_vars] = <?php echo $max_input_vars_flag;

if (!
file_exists("/home/{$user}/php_session")) {
mkdir("/home/{$user}/php_session");
shell_exec("/bin/chown {$user}:{$user} /home/{$user}/php_session");
}
 
?>


php_admin_value[session.save_path] = /home/<?=$user;?>/php_session

Perfect!  Now fixphp creates php_session in /home/{user} directory, changes ownership properly, and sets session.save.path correctly.

HOW EASY IS THAT?
« Last Edit: 2014-08-04, 07:52:53 by chrisf »
Christopher

Knowledge in: PHP, Perl, MySQL, Javascript, Actionscript, FLASH, HTML, CSS
Server Administrator / Developer: https://convictionshosting.com

Offline chrisf

  • Senior Master
  • **
  • Posts: 883
  • Karma: +11/-1
  • Gender: Male
  • Be the change that you wish to see in the world.
    • View Profile
    • Conviction's Hosting
Re: php session, per user, home directory
« Reply #9 on: 2014-08-05, 03:29:05 »
What you think?
Christopher

Knowledge in: PHP, Perl, MySQL, Javascript, Actionscript, FLASH, HTML, CSS
Server Administrator / Developer: https://convictionshosting.com

 


Top 10 Social Networking:    Facebook    Twitter    LinkedIn    Pinterest    Google Plus    Tumblr    Instagram    VK    Flickr    Vine
Click Here

Page created in 0.033 seconds with 21 queries.

web stats analysis