xphp Posted September 6, 2019 Share Posted September 6, 2019 I have a PHP page that offers various information from a single text file. This text file is encrypted on the server HD. Upon initial entry into the page, the user enters an encryption/decryption KEY and the encrypted file is decrypted to clear text and it is available for viewing. I have some parameters that I store in PHP session variables. I do this since various subsequent actions by the user will require these parameters. The code is written and the whole process seems to work well. Since the info in these session variables is sensitive, I need to understand WHERE they are stored. I know that it is a file on the HD, but after hours of reading the PHP Manual on sessions, I am not finding where (HD directory) that storage is. I have a typical shared hosting account for my web site. Mostly I want to discover is, are the session variables in y User/file hierarchy, or are they stored in a system area where the PHP is installed. Whew. Sorry this was so long. Thank you, xphp Quote Link to comment Share on other sites More sharing options...
kicken Posted September 6, 2019 Share Posted September 6, 2019 If you're just using the default files setting, it's controlled by the session.save_path setting. You can check what this is by creating a page that calls phpinfo() and loading it up in your browser. You could implement a session handler that stores the session data into a database instead which could offer a little more control over the data access. However, if the different sites on the host all execute scripts as the same user then other users could still access your session data. Privacy and shared hosting are generally incompatible. If keeping the information protected is important, you should invest in some non-shared hosting such as a VPS or dedicated server. Quote Link to comment Share on other sites More sharing options...
xphp Posted September 6, 2019 Author Share Posted September 6, 2019 Thanks Kicken, Very helpful. I may encrypt the info in the session variable before storing them. I have to come up with a strategy for how to hold/store/handle the key. At the end of the day, I want to make some effort to protect against a malicious person who somehow gets access to my site, FTP or otherwise. I have been building website since 1998 and only once someone used an old Open Software install (that I had forgotten about) that had a vulnerability and seriously ran amok throughout my site. I was so traumatized by that that I slowly removed all Open Source / CRM items, like Wordpress and everything is now 100% my code. Hey thanks again. Look for BTC tomorrow - wallet not on the air right now. Wanted to IM you but did not see how to do that. All the best, xphp Quote Link to comment Share on other sites More sharing options...
kicken Posted September 6, 2019 Share Posted September 6, 2019 2 hours ago, xphp said: I have to come up with a strategy for how to hold/store/handle the key. That's the fundamental issue, and very problematic with any shared hosting solution. With shared hosting, the only real option is to store it in a file somewhere, and like with the sessions, if they run everyone's code under the same account then anyone with a site on that server could read that file and get your key. PHP running scripts under the same account was common back in the day when I used the occasional host, but it may not be anymore. You'd want to check with your hosting provider. If they do run your scripts under a unique account, and you're not overly paranoid you could possibly get by. With a VPS you can still store the key in a file for convenience, but since no one else is sharing the server you don't have to worry about someone getting in that way. Your worry here is from faults in the software you run that may allow someone to access the server, and that's pretty much a worry you'll have no matter what you do. Just keep things updated and audit your code to find problems. The more ideal solution is to require the key to be entered any time the system is started, allowing the key to be stored only in the memory of the system and nowhere on disk. Someone would have to be able to gain access to the system memory without causing a reboot to get your key at that point, which is harder to do. This kind of setup could be done with a VPS or dedicated server. If you're really paranoid, a dedicated server is best as a VPS could technically be paused and have a snapshot taken which would then contain your key. That comes down to trusting your hosting provider. Quote Link to comment Share on other sites More sharing options...
Rendimo Posted September 20, 2019 Share Posted September 20, 2019 Are there any ways to provide safety here and make the system more secured? Quote Link to comment Share on other sites More sharing options...
gizmola Posted September 22, 2019 Share Posted September 22, 2019 On 9/20/2019 at 10:58 AM, Rendimo said: Are there any ways to provide safety here and make the system more secured? Can you be more specific? Quote Link to comment Share on other sites More sharing options...
chhorn Posted September 23, 2019 Share Posted September 23, 2019 On 9/20/2019 at 7:58 PM, Rendimo said: Are there any ways to provide safety here and make the system more secured? Store the session somewhere you have exclusive control of. Solutions are alreaday mentioned here. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.