[Mediawiki-l] problem with session hijacking detection

Brion Vibber brion at pobox.com
Sat Apr 2 21:02:04 UTC 2005


Hanno Braun wrote:
[snip]
> The wiki is hosted at Sourceforge.net. sf.net uses multiple
> apache-servers to serve web pages. When a page is requested an apache is
> selected by some kind of load balancing mechanism.
[ship]

You need to set the session save path to a directory that's common to
all servers instead of /tmp, which is on the local hard drive.

See:
http://www.php.net/session
http://www.php.net/ini_set


Note that Sourceforge's project web servers are deliberately configured
in a very insecure way for a multiuser server farm; any other registered
developer on any other project can read your session files, or use the
database password in your LocalSettings.php to get into your project's
MySQL database.

Due to the security situation I would recommend against running a wiki
or any other database-driven or password-accepting application in your
SourceForge project web space.

-- brion vibber (brion @ pobox.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 253 bytes
Desc: OpenPGP digital signature
Url : http://lists.wikimedia.org/pipermail/mediawiki-l/attachments/20050402/9df148b4/attachment.pgp 


More information about the MediaWiki-l mailing list