@mattab opened this Issue on October 12th 2017 Member

In order to simplify life (for example when we refactor/improve security in our sesions in #12164), I'd like to propose that we remove the File Sessions Handler in Piwik, and default everyone to use the Database session handler.

  • there is no advantage or reason to support the file sessions handler AFAIK.
  • Instead the database session handler works well in all cases, especially in the case where multiple piwik frontends are used and sessions must be shared (load balanced Piwik), or when NFS is used to store Piwik files (in which case file sessions are very slow)
  • We also support the Redis session handler, see redis session faq

Notes:

@mattab commented on October 12th 2017 Member

A more reasonable first step would be to instead, enable database session by default in Piwik, but leave the file session handler in case it is still useful to have.

@mattab commented on October 1st 2018 Member

It will be great to enable DB based sessions in Matomo 3.7.0. It will improve security because currently only on Apache2 we explicitely disable opening sessions files (on IIS or Nginx session files may be possible to open via direct web access). So once we store sessions in the DB it becomes impossible to directly access the content of the sessions in the tmp/sessions/ folder by guessing (or stealing) session tokens.

@mattab commented on October 2nd 2018 Member

On top of activating DB sessions by default, we also want to:

add a system check that Warns people, if the sessions are using files.

It is important that people use DB sessions for maximum security and ensuring session files can't be read (when accessed directly).

@tsteur commented on October 4th 2018 Member

If it is so important, why do you keep the functionality in there?

@mattab commented on October 4th 2018 Member

:boom: even better! let's remove the feature of file-based sessions :tada:

Powered by GitHub Issue Mirror