如何$不同的虚拟主机的Apache之间被共享p $ pvent PHP会议？ [英] How to prevent PHP sessions being shared between different apache vhosts?

问题描述

如何从不同的Apache虚拟主机之间被共享prevent PHP会话？

How to prevent PHP sessions from being shared between different Apache vhosts?

我已经设置了不同的虚拟主机在Apache 2.2和一切完美，直到我意识到PHP会话由默认共享。

I've set up different vhosts on an Apache 2.2 and everything works perfectly, until I realized that the PHP sessions are shared by default.

推荐答案

编辑也是为什么你总是应该设置你的session_save_path或使用数据库会话处理，如果你是在一个虚拟主机共享的原因。有人可以创建一个会话ID和执行命令chmod 777，并使用该会话ID在您的网站来绕过登录/或获得更多的权限。

Edit is also the reason why you ALWAYS should set your session_save_path or use database session handling if you are on an shared webhosting. Somebody can create an session id and chmod it to 777 and use that session id on your site to bypass logins/or get more privileges.

这工作，因为PHP不强制使用什么会话ID属于哪个网站。我知道这是因为我已经分析了C / C ++源代码code在PHP中的会话后面，因为我想知道这是可能的。所以，千万不要把太多的信任，该 $ _ SESSION 数组是共享虚拟主机，并在SQL查询你不能安全地使用此值是安全的。

This works because PHP doesn't enforce what session IDs belongs to what site. I know this because I've analysed the C/C++ source code behind sessions in PHP, and because I wondered how this could be possible. So never put too much trust that the $_SESSION array is safe on shared web hosting and you can't safely use this value in a SQL query.

有些code（文件session.c）在PHP中的C函数 php_session_start（）;

Some code (file session.c) in PHP from C function php_session_start(); yes, this function is called when you call session_start() from PHP (and the only check I saw was in these lines of code):

/* Check whether the current request was referred to by
 * an external site which invalidates the previously found id. */

if (PS(id) &&
        PS(extern_referer_chk)[0] != '\0' &&
        PG(http_globals)[TRACK_VARS_SERVER] &&
        zend_hash_find(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER]), "HTTP_REFERER", sizeof("HTTP_REFERER"), (void **) &data) == SUCCESS &&
        Z_TYPE_PP(data) == IS_STRING &&
        Z_STRLEN_PP(data) != 0 &&
        strstr(Z_STRVAL_PP(data), PS(extern_referer_chk)) == NULL
) {
    efree(PS(id));
    PS(id) = NULL;
    PS(send_cookie) = 1;
    if (PS(use_trans_sid) && !PS(use_only_cookies)) {
        PS(apply_trans_sid) = 1;
    }
}

唯一的检查HTTP头HTTP_REFERER，但我们都知道它可以伪造，因此这是通过隐藏的安全。唯一安全的方法是使用 session_save_path 或使用数据库会话处理程序。

The only check is the HTTP Header "HTTP_REFERER", but we all know it can be faked, so this is "security through obscurity". The only safe method is to use session_save_path or use a database session handler.

要在php.ini设置session_save_path，你应该找到更多的信息在这里的http：/ /php.net/manual/en/session.configuration.php 。

To set session_save_path in the php.ini, you should find more information here http://php.net/manual/en/session.configuration.php.

或者，如果PHP运行作为Apache模块，你可以在虚拟主机容器的htaccess文件进行配置：

Or, if PHP is running as an Apache module, you can configure it in the htaccess file of vhost container:

php_value session.save_path "path"

甚至更好每一个虚拟主机的PHPIniDir：

Or even better a PHPINIDir per vhost:

<VirtualHost ip>
[...]
PHPINIDir /var/www/...
[...]
</VirtualHost>

UPDATE [Panique]：

我只是加入完全解决了这个答案，因为这可能会帮助其他人了。样本全虚拟主机设置：

I'm just adding the full solution to this answer, as this might help other people too. A sample full vhost setup:

<VirtualHost *:81>
    DocumentRoot /var/www/xxx1
    <Directory "/var/www/xxx1">
        AllowOverride All
        php_value session.save_path "/var/mysessionforproject_1"
   </Directory>
</VirtualHost>

<VirtualHost *:82>
    DocumentRoot /var/www/xxx2
    <Directory "/var/www/xxx2">
        AllowOverride All
        php_value session.save_path "/var/mysessionforproject_2"
   </Directory>
</VirtualHost>

这篇关于如何$不同的虚拟主机的Apache之间被共享p $ pvent PHP会议？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！