$ _SESSION across multiple virtual hosts
Check the meaning of the following:
echo ini_get('session.save_handler');
echo ini_get('session.save_path');
If your save_handler is equal files
and your save_path is a shared directory, for example /var/lib/php5
, then you will most likely be using session storage with other users on the server. You are still protected by the nature of the session hash id, but if you have sensitive information, you can make changes. You can either change save_handler to something like sqlite and provide your own local database file, or just change save_path to a directory you own and have minimal permissions. You can change save_path in .htaccess file:
php_value session.save_path = '/path/to/my/session/directory'
Or in your PHP source:
ini_set('session.save_path', '/path/to/my/session/directory');
Edit: Realistically, though, if you have sensitive enough information to justify this change, then you should be using a VPS and not a shared server.
source to share
Does this mean that other hosts may be accessing some of the variables that are stored in $ _SESSION?
I would say yes, as long as the session id is the same and when using the default configuration for sessions. With regard to a large session ID, the chances of hijacking are pretty low, but again anything is possible, even when using a single virtual host. It all depends on your specific circumstances.
But for all practical purposes, I dare say you'll be fine.
Good luck!
source to share