Page MenuHomeDevCentral

Create individual PHP session directories per php-fpm user
ClosedPublic

Authored by dereckson on Mar 23 2018, 19:25.
Tags
None
Referenced Files
F3765006: D1486.id3804.diff
Fri, Nov 22, 09:50
F3764979: D1486.id3805.diff
Fri, Nov 22, 09:41
F3764837: D1486.id3806.diff
Fri, Nov 22, 08:43
F3764301: D1486.diff
Fri, Nov 22, 05:00
F3764053: D1486.diff
Fri, Nov 22, 04:02
Unknown Object (File)
Mon, Nov 18, 10:06
Unknown Object (File)
Mon, Nov 18, 09:45
Unknown Object (File)
Thu, Nov 14, 19:29
Subscribers
None

Details

Summary

To improve security for applications not using a custom session
handler, it's better to isolate sessions in a directory only
readable by the current php-fpm pool username.

As such, a security issue with one site allowing to browse files
won't allow to hijack sessions on a site served by another php-fpm pool.

Meanwhile, we reset to the default value in php.ini to allow quick tests
with php -S internal server on development servers.

Ref T417.

Test Plan

Test with www.dereckson.be

Diff Detail

Repository
rOPS Nasqueron Operations
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

dereckson created this revision.
dereckson accepted this revision.
This revision is now accepted and ready to land.Mar 23 2018, 20:37
This revision was automatically updated to reflect the committed changes.