.htaccess prevents itself from being viewed but not "sess*" files in directory

<Directory />
Options -Indexes
</Directory>

<Files ~ "^\.ht">
order allow,deny
deny from all
</Files>

<Files ~ "^sess[a-zA-Z0-9\-_\.]*$">
order allow,deny
deny from all
</Files>


This is designed to prevent itself, all files beginning with "sess" and
the directory listing from being viewed.

Right now I get the expected 403 Forbidden if I try to view the
directory listing and if I try to view .htaccess itself via browser,
however, when I try to view any file beginning with "sess" it lets me
view it though it's not supposed to do so.

I tried every known regular expression pattern onto "sess" and all
failed to block. Is there something else I need to do to prevent
"sess" files from being blocked? They are PHP session files and I
don't really have any control over permission settings for these files
else I would not bother with .htaccess

Thanx
Phil

<phillip.s.powell@gmail.com> schreef in bericht
news:1165360511.201238.220110@l12g2000cwl.googlegr oups.com...
> <Directory />
> Options -Indexes
> </Directory>
>
> <Files ~ "^\.ht">
> order allow,deny
> deny from all
> </Files>
Odd you have do set this yourself, should be in httpd.conf.

> <Files ~ "^sess[a-zA-Z0-9\-_\.]*$">
Try <Files ~ "^sess[a-zA-Z0-9\-_,]*$">
See 'session.hash_bits_per_character' at
http://www.php.net/manual/en/ref.session.php

> order allow,deny
> deny from all
> </Files>

> This is designed to prevent itself, all files beginning with "sess" and
> the directory listing from being viewed.
Your session.save_path in php.ini should be set _outside_ the document tree

HansH

HansH wrote:
> <phillip.s.powell@gmail.com> schreef in bericht
> news:1165360511.201238.220110@l12g2000cwl.googlegr oups.com...
> > <Directory />
> > Options -Indexes
> > </Directory>
> >
> > <Files ~ "^\.ht">
> > order allow,deny
> > deny from all
> > </Files>
> Odd you have do set this yourself, should be in httpd.conf.

That's assuming have permissions and access to httpd.conf, which I
don't :(

>
> > <Files ~ "^sess[a-zA-Z0-9\-_\.]*$">
> Try <Files ~ "^sess[a-zA-Z0-9\-_,]*$">
> See 'session.hash_bits_per_character' at
> http://www.php.net/manual/en/ref.session.php

session.has_bits_per_character is a PHP 5+ addition to php.ini; I'm
using PHP 4.3.9, sorry.

I tried your pattern, but unfortunately that also failed to match and
the session file was easily viewable via browser, which obviously you
don't want

>
> > order allow,deny
> > deny from all
> > </Files>
>
> > This is designed to prevent itself, all files beginning with "sess" and
> > the directory listing from being viewed.
> Your session.save_path in php.ini should be set _outside_ the document tree
>

That would be assuming you have the rights to do so IAPW. However, I
am designing a portable web application that will be housed in a shared
hosting platform which does not allow for us to store sessions within
session.save_path (or for that matter, have any access outside of our
chroot - can you say "chroot jail"?), nor are we allowed to even change
any of the default php.ini values via ini_set() either (I tried that,
believe me). So that left me only with the option to store sessions
witihn our chroot (actually in one case, within the document root only
as that's as far back as we're allowed to go), and since they're
"open", I need to make sure the session file contents are not viewable.


> HansH

phillip.s.powell@gmail.com wrote:
> HansH wrote:
> > <phillip.s.powell@gmail.com> schreef in bericht
> > news:1165360511.201238.220110@l12g2000cwl.googlegr oups.com...
> > > <Directory />
> > > Options -Indexes
> > > </Directory>
> > >
> > > <Files ~ "^\.ht">
> > > order allow,deny
> > > deny from all
> > > </Files>
> > Odd you have do set this yourself, should be in httpd.conf.
>
> That's assuming have permissions and access to httpd.conf, which I
> don't :(
>
> >
> > > <Files ~ "^sess[a-zA-Z0-9\-_\.]*$">
> > Try <Files ~ "^sess[a-zA-Z0-9\-_,]*$">
> > See 'session.hash_bits_per_character' at
> > http://www.php.net/manual/en/ref.session.php
>
> session.has_bits_per_character is a PHP 5+ addition to php.ini; I'm
> using PHP 4.3.9, sorry.
>
> I tried your pattern, but unfortunately that also failed to match and
> the session file was easily viewable via browser, which obviously you
> don't want
>
> >
> > > order allow,deny
> > > deny from all
> > > </Files>
> >
> > > This is designed to prevent itself, all files beginning with "sess" and
> > > the directory listing from being viewed.
> > Your session.save_path in php.ini should be set _outside_ the document tree
> >
>
> That would be assuming you have the rights to do so IAPW. However, I
> am designing a portable web application that will be housed in a shared
> hosting platform which does not allow for us to store sessions within
> session.save_path (or for that matter, have any access outside of our
> chroot - can you say "chroot jail"?), nor are we allowed to even change
> any of the default php.ini values via ini_set() either (I tried that,
> believe me). So that left me only with the option to store sessions
> witihn our chroot (actually in one case, within the document root only
> as that's as far back as we're allowed to go), and since they're
> "open", I need to make sure the session file contents are not viewable.
>
>
> > HansH

/tmp should work even in your environement and should work in about 95%
linux flavored hosting. If it doesn't you might consider moving. You
might also run phpinfo.php and make sure your temp is at /tmp. Session
files are dangerous to have lying around anywhere, it is a major
security breach.

Concreteman wrote:
> phillip.s.powell@gmail.com wrote:
> > HansH wrote:
> > > <phillip.s.powell@gmail.com> schreef in bericht
> > > news:1165360511.201238.220110@l12g2000cwl.googlegr oups.com...
> > > > <Directory />
> > > > Options -Indexes
> > > > </Directory>
> > > >
> > > > <Files ~ "^\.ht">
> > > > order allow,deny
> > > > deny from all
> > > > </Files>
> > > Odd you have do set this yourself, should be in httpd.conf.
> >
> > That's assuming have permissions and access to httpd.conf, which I
> > don't :(
> >
> > >
> > > > <Files ~ "^sess[a-zA-Z0-9\-_\.]*$">
> > > Try <Files ~ "^sess[a-zA-Z0-9\-_,]*$">
> > > See 'session.hash_bits_per_character' at
> > > http://www.php.net/manual/en/ref.session.php
> >
> > session.has_bits_per_character is a PHP 5+ addition to php.ini; I'm
> > using PHP 4.3.9, sorry.
> >
> > I tried your pattern, but unfortunately that also failed to match and
> > the session file was easily viewable via browser, which obviously you
> > don't want
> >
> > >
> > > > order allow,deny
> > > > deny from all
> > > > </Files>
> > >
> > > > This is designed to prevent itself, all files beginning with "sess" and
> > > > the directory listing from being viewed.
> > > Your session.save_path in php.ini should be set _outside_ the document tree
> > >
> >
> > That would be assuming you have the rights to do so IAPW. However, I
> > am designing a portable web application that will be housed in a shared
> > hosting platform which does not allow for us to store sessions within
> > session.save_path (or for that matter, have any access outside of our
> > chroot - can you say "chroot jail"?), nor are we allowed to even change
> > any of the default php.ini values via ini_set() either (I tried that,
> > believe me). So that left me only with the option to store sessions
> > witihn our chroot (actually in one case, within the document root only
> > as that's as far back as we're allowed to go), and since they're
> > "open", I need to make sure the session file contents are not viewable.
> >
> >
> > > HansH
>
> /tmp should work even in your environement and should work in about 95%
> linux flavored hosting. If it doesn't you might consider moving. You
> might also run phpinfo.php and make sure your temp is at /tmp. Session
> files are dangerous to have lying around anywhere, it is a major
> security breach.

Would you believe we're in the 5%? It's a "chroot jail", no access of
any kind is allowed outside of your chroot, not even to /tmp!

I agree about leaving session files lying around, but sadly I have no
choice unless the company decides to go with my suggestion on a
dedicated host instead of a shared host, until then I'm expected to
come up with a solution that is secure and functionable within the
shared host settings given to us

HansH wrote:
> <phillip.s.powell@gmail.com> schreef in bericht
> news:1165360511.201238.220110@l12g2000cwl.googlegr oups.com...
> > <Directory />
> > Options -Indexes
> > </Directory>
> >
> > <Files ~ "^\.ht">
> > order allow,deny
> > deny from all
> > </Files>
> Odd you have do set this yourself, should be in httpd.conf.
>
> > <Files ~ "^sess[a-zA-Z0-9\-_\.]*$">
> Try <Files ~ "^sess[a-zA-Z0-9\-_,]*$">
> See 'session.hash_bits_per_character' at
> http://www.php.net/manual/en/ref.session.php
>
> > order allow,deny
> > deny from all
> > </Files>
>

What I tried doing was this, out of desparation:

<Files>
order allow,deny
deny from all
</Files>

And even then all session files were still viewable. That's when I
concluded perhaps it is due to the nature of how PHP names its session
files (no PHP session file has any extension, just a name), and that's
perhaps why it is not even recognized, just perhaps, as a file in the
first place and thus, isn't filtered by the Files directive and remains
viewable in spite of the directory global restriction

Phil

> > This is designed to prevent itself, all files beginning with "sess" and
> > the directory listing from being viewed.
> Your session.save_path in php.ini should be set _outside_ the document tree
>
> HansH

<phillip.s.powell@gmail.com> schreef in bericht
news:1165529250.835286.151950@l12g2000cwl.googlegr oups.com...
> What I tried doing was this, out of desparation:
>
> <Files>
> order allow,deny
> deny from all
> </Files>
What files are to be denied without specifying a filename ??
Test for me
<Files ~ ".">

> And even then all session files were still viewable. That's when I
> concluded perhaps it is due to the nature of how PHP names its session
> files (no PHP session file has any extension, just a name),
Thinking name-dot-extention ... is a MicroSoft doctrine.


BTW your sess* files are at the document_root ...???
If not, try
<Location /<folder>/>
order allow,deny
deny from all

HansH
</Location>

HansH wrote:
> <phillip.s.powell@gmail.com> schreef in bericht
> news:1165529250.835286.151950@l12g2000cwl.googlegr oups.com...
> > What I tried doing was this, out of desparation:
> >
> > <Files>
> > order allow,deny
> > deny from all
> > </Files>
> What files are to be denied without specifying a filename ??
> Test for me
> <Files ~ ".">

Sorry I tried that and the session files are still viewable via
browser:

<Files ~ ".">
order allow,deny
deny from all
</Files>

>
> > And even then all session files were still viewable. That's when I
> > concluded perhaps it is due to the nature of how PHP names its session
> > files (no PHP session file has any extension, just a name),
> Thinking name-dot-extention ... is a MicroSoft doctrine.
>
>
> BTW your sess* files are at the document_root ...???
> If not, try
> <Location /<folder>/>
> order allow,deny
> deny from all
>

Sorry that also failed; the session files are easily viewable via
browser :(

<Location /path/to/session/files>
order allow,deny
deny from all
</Location>


> HansH
> </Location>

phillip.s.powell@gmail.com wrote:
> HansH wrote:
> > <phillip.s.powell@gmail.com> schreef in bericht
> > news:1165529250.835286.151950@l12g2000cwl.googlegr oups.com...
> > > What I tried doing was this, out of desparation:
> > >
> > > <Files>
> > > order allow,deny
> > > deny from all
> > > </Files>
> > What files are to be denied without specifying a filename ??
> > Test for me
> > <Files ~ ".">
>
> Sorry I tried that and the session files are still viewable via
> browser:
>
> <Files ~ ".">
> order allow,deny
> deny from all
> </Files>
>
> >
> > > And even then all session files were still viewable. That's when I
> > > concluded perhaps it is due to the nature of how PHP names its session
> > > files (no PHP session file has any extension, just a name),
> > Thinking name-dot-extention ... is a MicroSoft doctrine.
> >
> >
> > BTW your sess* files are at the document_root ...???
> > If not, try
> > <Location /<folder>/>
> > order allow,deny
> > deny from all
> >
>
> Sorry that also failed; the session files are easily viewable via
> browser :(
>
> <Location /path/to/session/files>
> order allow,deny
> deny from all
> </Location>
>
>
> > HansH
> > </Location>

since were talking silly land solutions here for a silly setup, why not
just use a rewrite for all files
starting sess_ and ending with 32 chars
the rewrite could rewrite to a "dev/null" script.

why not use allow,deny and allow for localhost no one else.

or basic auth, for all but localhost.

i know it shouldnt be needed, but I only mention it cos everyones going
for the regular solutions and they arent working, meanwhile your users
are unprotected, and maybe your apps, and server!

<phillip.s.powell@gmail.com> schreef in bericht
news:1165595006.771399.176320@l12g2000cwl.googlegr oups.com...
> <Location /path/to/session/files>
If /path/to/session/files is a local path, use Directory
The full path shown may very per ftp, http and php, depending on the extend
of chroot-ing

> order allow,deny
> deny from all
> </Location>

Final attempt: put an index.html in the folder containing those pesky sess*
files

HansH