Page MenuHomeDevCentral

Create individual PHP session directories per php-fpm user
ClosedPublic

Authored by dereckson on Mar 23 2018, 19:25.
Tags
None
Referenced Files
F3765006: D1486.id3804.diff
Fri, Nov 22, 09:50
F3764979: D1486.id3805.diff
Fri, Nov 22, 09:41
F3764837: D1486.id3806.diff
Fri, Nov 22, 08:43
F3764301: D1486.diff
Fri, Nov 22, 05:00
F3764053: D1486.diff
Fri, Nov 22, 04:02
Unknown Object (File)
Mon, Nov 18, 10:06
Unknown Object (File)
Mon, Nov 18, 09:45
Unknown Object (File)
Thu, Nov 14, 19:29
Subscribers
None

Details

Summary

To improve security for applications not using a custom session
handler, it's better to isolate sessions in a directory only
readable by the current php-fpm pool username.

As such, a security issue with one site allowing to browse files
won't allow to hijack sessions on a site served by another php-fpm pool.

Meanwhile, we reset to the default value in php.ini to allow quick tests
with php -S internal server on development servers.

Ref T417.

Test Plan

Test with www.dereckson.be

Diff Detail

Repository
rOPS Nasqueron Operations
Lint
Lint Passed
Unit
No Test Coverage
Branch
php-individual-session-dirs (branched from master)
Build Status
Buildable 2342
Build 2590: arc lint + arc unit

Event Timeline

dereckson created this revision.
dereckson accepted this revision.
This revision is now accepted and ready to land.Mar 23 2018, 20:37
This revision was automatically updated to reflect the committed changes.