The Session storage path can list security issues

Nowadays, virtual hosts are becoming more and more secure. Although they cannot directly go to the target website directory, they can read the Session
The following is a demonstration: localtest1.safe121.com and localtest2.safe121.com.

Assume that we have set baseopendir to be different at will and cannot obtain server permissions.
Three PHP
One is to create a SESSION, the other is to clear the SESSION, and the other is to display the SESSION


We create a session in website 1 (use different browsers to ensure isolation)

Create a session in website 2

In browser A, Session1 is displayed.

Show SESSION2 again

Of course, session2 cannot be displayed because it does not create a session in this browser.
We use webshell to open the SESSION directory.

Our goal is to steal the session of website 2.

Determine the SESSION of website 2 based on the file owner and file size.
Finally, modify the session value to steal the session of website 2.

Solution:
1. Specify the session save path before the website program session starts, such as creating a folder on the website, called the sEsS10n-1213213124sdkfsd permission is writable, and then before the website program SESSION starts
Session_save_path ('sess10n-1213109124sdkfsd ');
Session_start ();
Specify the session storage path.
2. develop good habits. Exit immediately after using the background. Do not close the browser directly.
3. Save the IP address in the SESSION. If the IP address is different, it is forced to exit. However, if the IP address changes when using the background, this will lead to false exit.

From: network security blog