Jump to content

Where are PHP session variables stored?

Recommended Posts

I have a PHP page that offers various information from a single text file. This text file is

encrypted on the server HD.

Upon initial entry into the page, the user enters an encryption/decryption KEY and the

encrypted file is decrypted to clear text and it is available for viewing.

I have some parameters that I store in PHP session variables. I do this since various

subsequent actions by the user will require these parameters. The code is written and the whole process seems to

work well.

Since the info in these session variables is sensitive, I need to understand WHERE they are

stored. I know that it is a file on the HD, but after hours of reading the PHP Manual on

sessions, I am not finding where (HD directory) that storage is.

I have a typical shared hosting account for my web site. Mostly I want to discover is, are

the session variables in y User/file hierarchy, or are they stored in a system area where

the PHP is installed.

Whew. Sorry this was so long.

Thank you,

Share this post

Link to post
Share on other sites

If you're just using the default files setting, it's controlled by the session.save_path setting.  You can check what this is by creating a page that calls phpinfo() and loading it up in your browser.  You could implement a session handler that stores the session data into a database instead which could offer a little more control over the data access.

However, if the different sites on the host all execute scripts as the same user then other users could still access your session data.  Privacy and shared hosting are generally incompatible.  If keeping the information protected is important, you should invest in some non-shared hosting such as a VPS or dedicated server.

Share this post

Link to post
Share on other sites

Thanks Kicken,

Very helpful.

I may encrypt the info in the session variable before storing them.

I have to come up with a strategy for how to hold/store/handle the key.

At the end of the day, I want to make some effort to protect against a malicious person who somehow gets access to my site, FTP or otherwise.

I have been building website since 1998 and only once someone used an old Open Software install (that I had forgotten about) that had a vulnerability and seriously ran amok throughout my site. I was so traumatized by that that I slowly removed all Open Source / CRM items, like Wordpress and everything is now  100% my code.

Hey thanks again.

Look for BTC tomorrow - wallet not on the air right now.

Wanted to IM you but did not see how to do that.

All the best,



Share this post

Link to post
Share on other sites
2 hours ago, xphp said:

I have to come up with a strategy for how to hold/store/handle the key.

That's the fundamental issue, and very problematic with any shared hosting solution.

With shared hosting, the only real option is to store it in a file somewhere, and like with the sessions, if they run everyone's code under the same account then anyone with a site on that server could read that file and get your key.  PHP running scripts under the same account was common back in the day when I used the occasional host, but it may not be anymore.  You'd want to check with your hosting provider.  If they do run your scripts under a unique account, and you're not overly paranoid you could possibly get by.

With a VPS you can still store the key in a file for convenience, but since no one else is sharing the server you don't have to worry about someone getting in that way.  Your worry here is from faults in the software you run that may allow someone to access the server, and that's pretty much a worry you'll have no matter what you do.  Just keep things updated and audit your code to find problems.

The more ideal solution is to require the key to be entered any time the system is started, allowing the key to be stored only in the memory of the system and nowhere on disk.  Someone would have to be able to gain access to the system memory without causing a reboot to get your key at that point, which is harder to do.  This kind of setup could be done with a VPS or dedicated server.  If you're really paranoid, a dedicated server is best as a VPS could technically be paused and have a snapshot taken which would then contain your key.  That comes down to trusting your hosting provider.


Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.