$_SESSION across muliple virtual hosts

Question

I have learned that if I share a server with another host (which I do, as I have a virtualhost), then all the hosts share the same $_SESSION is the same across all the hosts.

Does it meant that other hosts can access some of the variables that I store in the $_SESSION?

Answer 1

Check the value of the following:

echo ini_get('session.save_handler');
echo ini_get('session.save_path');

If your save_handler is files and your save_path is a common directory like /var/lib/php5 then you're likely sharing session storage with other users on the server. You're still protected by the nature of the session hash id, but if you have sensitive information you might want to make a change. You could either change the save_handler to something like sqlite and provide your own local database file, or simply change save_path to a directory that's owned by you and has minimal permissions. You can change save_path in a .htaccess file:

php_value session.save_path = '/path/to/my/session/directory'

Or in your PHP source:

ini_set('session.save_path', '/path/to/my/session/directory');

Edit: Realistically though, if you have information sensitive enough to warrant this change, then you should be using a VPS and not a shared server.

Answer 2

Does it meant that other hosts can access some of the variables that I store in the $_SESSION?

I would say yes if the session id is the same and if using default configuration for sessions. In regards the session id being large, the chances of hijacking are pretty low, but then again anything is possible, even when using a single virtual host. It all depends on your particular circumstances.

But for all practical purposes I will dare to say you will be ok.

Good luck!