Policy for web apps session storage ?

To: "debian-devel@lists.debian.org" <debian-devel@lists.debian.org>
Subject: Policy for web apps session storage ?
From: Olivier Berger <olivier.berger@it-sudparis.eu>
Date: 2008年8月13日 15:24:35 +0200
Message-id: <[🔎] 1218633875.8314.99.camel@hortense>

Hi.
I've stumbled upon recent discussions about session files storage in two
different contexts recently : 
* recently found vulnerabilities by Dmitry E. Oboukhov in twiki (to be
confirmed [0]) (perl + CGI::Session)
* some session handling in phpgroupware (php5 sessions)
I guess there are at least 2 kinds of security issues here : 
* creation of session files in a safe directory of (somehow) temporary
files (at least as long as the web app session is meant to remain
active).
* proper purge of these files not to fill-up disk (web apps may be
exposed, so remote DOS by creating lots of sessions, etc.)
We recently asked on php maintainers list [1] for policy concerning
these session files handling without definitive answers (for Debian
policy), but to check /usr/share/doc/php5-common/README.Debian.gz ,
which states :
 Session storage
 ---------------
 
 Session files are stored in /var/lib/php5. For security purposes, this
 directory is unreadable by non-root users. This means that php5 running
 from apache2, for example, will not be able to clean up stale session
 files. Instead, we have a cron job run every 30 mins that cleans up
 stale session files; /etc/cron.d/php5. You may need to modify how
 often this runs, if you've modified session.gc_maxlifetime in your
 php.ini; otherwise, it may be too lax or overly aggressive in cleaning
 out stale session files. 
 
 Andres Salomon <dilinger@debian.org> 2004年9月03日 03:12:54 -0400
For perl and CGI::Session, I don't know if there are similar guidelines.
With current reflection on use of /tmp, I though I should raise the
issue of such a web app session files management policy in Debian (or at
least best practice suggestions).
Thanks in advance.
Best regards,
[0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494648
[1]
http://lists.alioth.debian.org/pipermail/pkg-php-maint/2008-May/003969.html
-- 
Olivier BERGER <olivier.berger@it-sudparis.eu>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)

Reply to:

Prev by Date: Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
Next by Date: Re: feature: to add explanations of recommendations and suggestions dependencies
Previous by thread: Bug#494958: ITP: libconfig-scoped-perl -- feature rich configuration file parser
Next by thread: issues with aptitude dist-upgrade from etch to lenny
Index(es):
- Date
- Thread