[Feature] Encrypt session about nelmiosecuritybundle HOT 9 CLOSED

You can do that with the encrypted_cookies setting I would think, just specify your session cookie there?

from nelmiosecuritybundle.

No i don't mean the cookie value.
I mean the session data, that were stored in the database, filesystem or something else.

from nelmiosecuritybundle.

But there isn't much point in that is there? If someone can read this stuff, most likely he has access to your secret and can decrypt the data anyway.

from nelmiosecuritybundle.

Not really. If you run your application on a virtual server and the session directory is on every virtual server equals, then a hacker can hijack your session. If you encrypt this session values, the hacker have no chance to decrypt this session.

An another example was, if you use couchdb as session storage and you dont't use https (or is not available), the session values will be send in the plain format.

If i'm wrong please correct me :)

from nelmiosecuritybundle.

Regarding shared hosting, the session id will still be present in clear on the filesystem, so it's still fairly easy to hijack your session.. As for couch well, if you don't use https and it's not on the same machine yeah you can have MITM problems but usually it's a direct neighbour in the network so chances are low. Anyway if you'd like to do it I guess I'm not completely against the idea, it's optional anyway, but I really doubt there is much value in doing this.

from nelmiosecuritybundle.

Interesting, I was not aware that the session id will be present in clear on the filesystem.

It's still a idea, so i opened this issue to discuss this featue.
If you say it's not necessary than we can close this issue, otherwise i would love to create a PR.

from nelmiosecuritybundle.

The session is usually stored in a file which is named with the session
id, so hijacking is fairly easy if you're a poorly configured shared host.

As for implementing it, I just don't see enough value in the feature to
do it myself, but if you do then feel free to add it. Or we can leave it
open and see if anyone else is interested.

from nelmiosecuritybundle.

Thank's for this explanation :)

I've leave it open, if anyone is interested to implement this feature,
we can discuss it again.

from nelmiosecuritybundle.

@Baachi "If you run your application on a virtual server and the session directory is on every virtual server equals"

This is a Symfony2 bundle and Symfony2 is configurated by default to store the sessions inside the app/cache/*/sessions directory.

So I think the feature would be useless for this bundle. Maybe as a standalone component, but I wouldn't use it :-)

from nelmiosecuritybundle.