Enable by default to store all session data in the database + remove feature of file-based sessions in tmp/sessions/* #12170
Comments
|
A more reasonable first step would be to instead, enable database session by default in Piwik, but leave the file session handler in case it is still useful to have. |
mattab
changed the title
|
It will be great to enable DB based sessions in Matomo 3.7.0. It will improve security because currently only on Apache2 we explicitely disable opening sessions files (on IIS or Nginx session files may be possible to open via direct web access). So once we store sessions in the DB it becomes impossible to directly access the content of the sessions in the tmp/sessions/ folder by guessing (or stealing) session tokens. |
mattab
added
the
c: Security
|
On top of activating DB sessions by default, we also want to: add a system check that Warns people, if the sessions are using files.It is important that people use DB sessions for maximum security and ensuring session files can't be read (when accessed directly). |
|
If it is so important, why do you keep the functionality in there? |
|
💥 even better! let's remove the feature of file-based sessions 🎉 |
mattab
changed the title
mattab
added
the
Major
In order to simplify life (for example when we refactor/improve security in our sesions in #12164), I'd like to propose that we remove the File Sessions Handler in Piwik, and default everyone to use the Database session handler.
Notes:
By default Piwik uses the filesystem as a session handler.The text was updated successfully, but these errors were encountered: