PHP memcached session handler security

One subsystem of a PHP server is its session handling. In multi user systems the choice of handlers requires a tradeoff between performance, persistence, and security/user isolation. Because my setup does not seem to be common I document it here.

A simple and traditional approach is to use file based sessions; if these are stored in /tmp they are shared and accessible by all users, if thse are stored in the user’s home directory they provide isolation. Persistence is unlimited (unless you also use a script to delete old temporary files) but performance is usually inferior.

The newer memcached session handler stores all session data in an in-memory memcached database; this provides better performance, but worse persistence (entries are lost when memcached is restarted) and usually no access control (all users can access all entries).

Whether persistence is an issue depends on your users’ applications and websites. I only have to restart the memcached about every two months (for software updates) and my blogs and wikis do not require long term sessions (loosing the sessions only invalidates my browser’s login cookies).

But access control is essential in a multi-user system; to provide this I use the Suhoshin PHP extension. With the session.encrypt option every user gets a unique key to encrypt their session data as a security measure. Thus every user can still obtain the list of all key-value pairs from memcached and recognize sessions entries, but they cannot decrypt and read the values.

So far I have used this setup with php-cgi/suPHP where all users have their own php.ini and with php-fpm where only selected php.ini values are overwritten with php_admin_value. In theory it will also work with mod_php (although then it would be pretty useless to encrypt session data while all other PHP operations share the same user credentials without any isolation).

Comments are closed.