MRatWork Forum by Mustafa Ramadhan

Sawo Project - Kloxo-MR Discussions => Kloxo-MR Development => Topic started by: chrisf on 2014-07-19, 00:42:49

Title: php session, per user, home directory
Post by: chrisf on 2014-07-19, 00:42:49

Mustafa,

After a security audit of one of our production servers I was informed of the GREAT potential of session hijacking by having all users session dir sent to one dir.

It would be easy with the php-fpm setup to point the session dir to /home/{user}/session and add this directory to the skeleton or add it's creation during new user creation.

I would consider this, it makes php even more secure and seperate from each user.

Title: Re: php session, per user, home directory
Post by: chrisf on 2014-07-28, 01:17:15

Have you considered this Mustafa?

Title: Re: php session, per user, home directory
Post by: MRatWork on 2014-07-28, 05:29:08

Session inside /home/httpd/<user>. Need update php config for every users in panel.

Title: Re: php session, per user, home directory
Post by: chrisf on 2014-07-28, 23:28:03

I have latest 6.5.1b and run cleanup.  No change for session for php.

Title: Re: php session, per user, home directory
Post by: MRatWork on 2014-07-29, 07:51:38

Go to 'Advanced php configure' in every client and then click 'update'.

Title: Re: php session, per user, home directory
Post by: chrisf on 2014-07-30, 04:14:21

Every client?  What?  Why fixphp not do this?

Title: Re: php session, per user, home directory
Post by: MRatWork on 2014-07-30, 08:44:41

Because each client (user in php context) have their php config.

Title: Re: php session, per user, home directory
Post by: chrisf on 2014-08-04, 06:49:53

Updating in php advanced per client doesn't change anything.  There appears to be no change to anything at all

Title: Re: php session, per user, home directory
Post by: chrisf on 2014-08-04, 07:50:29

Mustafa, this is easiest way to implement this feature.

In php53-fpm-pool.conf.tpl you have 2 of the same lines:

Code: [Select]

php_admin_value[session.save_path] = <?php echo $session_save_path_flag; ?>

Remove the first one, then change:

Code: [Select]

php_admin_value[max_input_vars] = <?php echo $max_input_vars_flag; ?>

php_admin_value[session.save_path] = <?php echo $session_save_path_flag;

change to:

Code: [Select]

php_admin_value[max_input_vars] = <?php echo $max_input_vars_flag;

if (!file_exists("/home/{$user}/php_session")) {
mkdir("/home/{$user}/php_session");
shell_exec("/bin/chown {$user}:{$user} /home/{$user}/php_session");
}
 ?>

php_admin_value[session.save_path] = /home/<?=$user;?>/php_session

Perfect!  Now fixphp creates php_session in /home/{user} directory, changes ownership properly, and sets session.save.path correctly.

HOW EASY IS THAT?

Title: Re: php session, per user, home directory
Post by: chrisf on 2014-08-05, 03:29:05

What you think?