Thread: .htaccess prevents itself from being viewed but not "sess*" files in directory
View Single Post

  #4 (permalink)  
Old 12-06-2006
Concreteman
 
Posts: n/a
Default Re: .htaccess prevents itself from being viewed but not "sess*" files in directory

phillip.s.powell@gmail.com wrote:
> HansH wrote:
> > <phillip.s.powell@gmail.com> schreef in bericht
> > news:1165360511.201238.220110@l12g2000cwl.googlegr oups.com...
> > > <Directory />
> > > Options -Indexes
> > > </Directory>
> > >
> > > <Files ~ "^\.ht">
> > > order allow,deny
> > > deny from all
> > > </Files>
> > Odd you have do set this yourself, should be in httpd.conf.
>
> That's assuming have permissions and access to httpd.conf, which I
> don't :(
>
> >
> > > <Files ~ "^sess[a-zA-Z0-9\-_\.]*$">
> > Try <Files ~ "^sess[a-zA-Z0-9\-_,]*$">
> > See 'session.hash_bits_per_character' at
> > http://www.php.net/manual/en/ref.session.php
>
> session.has_bits_per_character is a PHP 5+ addition to php.ini; I'm
> using PHP 4.3.9, sorry.
>
> I tried your pattern, but unfortunately that also failed to match and
> the session file was easily viewable via browser, which obviously you
> don't want
>
> >
> > > order allow,deny
> > > deny from all
> > > </Files>
> >
> > > This is designed to prevent itself, all files beginning with "sess" and
> > > the directory listing from being viewed.
> > Your session.save_path in php.ini should be set _outside_ the document tree
> >
>
> That would be assuming you have the rights to do so IAPW. However, I
> am designing a portable web application that will be housed in a shared
> hosting platform which does not allow for us to store sessions within
> session.save_path (or for that matter, have any access outside of our
> chroot - can you say "chroot jail"?), nor are we allowed to even change
> any of the default php.ini values via ini_set() either (I tried that,
> believe me). So that left me only with the option to store sessions
> witihn our chroot (actually in one case, within the document root only
> as that's as far back as we're allowed to go), and since they're
> "open", I need to make sure the session file contents are not viewable.
>
>
> > HansH

/tmp should work even in your environement and should work in about 95%
linux flavored hosting. If it doesn't you might consider moving. You
might also run phpinfo.php and make sure your temp is at /tmp. Session
files are dangerous to have lying around anywhere, it is a major
security breach.