> If you are using PHP also bare in mind that a common default is for all sessions to be written to /tmp which is world read and writeable. So if others have access to your server they can steal or destroy sessions easily.
I'm slightly confused by this, within the context of this article. Yes, /tmp is readable and writable by all, but that doesn't mean that everything in it is readable or writable to other people. The sessions that PHP creates will be owned by the webserver user (nobody/www-data/something else), and shouldn't be readable or writable by other users.
This is still a problem with shared hosting, where you might have multiple websites running on the same server. One shared host would be able to read another's sessions, because they are all running under the webserver's user. This[1] suggests overriding the session_set_save_handler and writing to a resource that only you control, such as your DB.
This is still a problem with shared hosting, where you might have multiple websites running on the same server. One shared host would be able to read another's sessions, because they are all running under the webserver's user. This[1] suggests overriding the session_set_save_handler and writing to a resource that only you control, such as your DB.
[1] http://phpsec.org/projects/guide/5.html