Geek Answers Handbook

Securing DB and Session Data on a Common PHP Host

I wrote a PHP web application using SQLite and sessions stored in filesystem .

It is functionally thin and attractively low maintenance. But now it should run on a shared host.

All web applications on the shared host work as the same user, so my user session data is vulnerable, like the database, code, etc.

In this situation, many recommend storing sessions in DBMS , such as MySQL . So at first I thought I would just do it, and move the SQLite data to MySQL too. But then I realized that the MySQL credentials must be read by the user of the web application, so I will go back to the square.

I think the best solution is to use PHP as CGI so that it works as a separate user for each web application. This sounds great, but my host does not, it uses mod_php . Are there any flaws from the administrator's point of view to include this? (performance, backward compatibility, etc.)? If not, I will ask them to enable this.

Otherwise, can I do something to protect my database and session data in this situation?

+7
security php apache session shared-hosting
source share
5 answers

As long as your code acts as a shared web user, everything stored on the server will be vulnerable. Any other user could write a PHP script to view any readable file on the server, including your data and PHP code.

If your hosting provider allows it, working under PHP as CGI under a different user will help, but I expect that there will be significant success, since each request will require the creation of a new process. (You can look at FCGI as the best alternative.)

Another approach would be to set a cookie based on what the user provides, and use it to encrypt the session data. For example, when a user logs in, take a hash of your username, password (just provided them) and the current time, encrypt the session data with a hash, set a cookie containing a hash. The next time you receive a cookie, which you can then use to decrypt the session data. Note that this will protect only the current session data; your user table, other data and code will still be vulnerable.

In this situation, you need to decide whether a compromise of the low cost of public hosting is acceptable, given the reduced security that it provides. It will depend on your application, and it may be that instead of trying to create a complex (and perhaps not even very effective) way to add security, you better just take the risk.

+4
source share

I do not see security as all or nothing. There are steps you can take. Give the web db user only the necessary permissions. Store passwords as hashes. Use openid login so that users provide their credentials over SSL.

PHP in cgi may be slower, and some hosts may simply not want to support more than one environment.

For some reason, you may have to stick with your host, but as a rule, there are so many available that it is a good reminder to people about comparing functionality and security as well as cost. I noticed that many companies are starting to offer virtual computer hosting - almost dedicated server-level security in terms of isolating your code from other users - at any reasonable cost.

+1
source share

A shared host cannot run a website if you understand the privacy and security of your data from sites with which you share the server. Everything that is available to your web application is an honest game for others; it will only be a matter of time before they can access it (provided that they have an incentive to do this with you).

0
source share

"you can put your DB connection variables in a file under the root of the website, which will at least protect it from network access. If you intend to use file-based sessions, you can set the session path to your user directory and again outside the web root. "

I donโ€™t have an account, so I canโ€™t lower it ... but seriously this is not even related to the issue.

You store things outside of webroot. This applies to any hosting scenario and does not apply to shared hosting. We are not talking about protection from strangers here. We are talking about protection from other applications on the same machine.

In OP, I think PHP as CGI is the safest solution, as you already suggested. But, as someone said, this is a performance hit.

Something you can pay attention to is moving your sessions and db to MySQL and using safe_mode and / or open_basedir.

0
source share

I would solve the problem with changing the infrastructure instead of the code. Consider upgrading to a VPS server. Currently you can get them very inexpensively. I saw VPS starting @ $ 10 / month.

0
source share

More articles:


All Articles