2

I know that on regular shared hosting, storing PHP sessions in the default location (/tmp) may present security issues. A VPS does not have this issue. Therefore, I assume VPS cloud hosting does not. But what about regular cloud hosting? Is that just shared hosting over multiple computers, meaning that PHP sessions would still be vulnerable to the prying eyes of other webhosting clients on that cloud? Or is there something different about (non-VPS) cloud hosting that protects from PHP session storage location vulnerabilities?

user928984
  • 1,963
  • 2
  • 14
  • 13

2 Answers2

2

Shared hosting simply means that your web hosting provider places multiple web sites on a single server.

Cloud hosting uses the same concept and is in reality just another type of shared hosting, but with greater upwards and downwards scalability.

One issue with shared hosting is that within the context of a single server, there is a fixed amount of physical space. Although the hosting provider will provision their servers in such a way that you don’t run into capacity problems, the issue still remains. Cloud hosting removes that possibility by replacing the concept of the individual physical server, with that of a virtualized and highly scalable infrastructure.

Cloud hosting overview

But the security is still a concern in cloud hosting. The only difference is that your files are stored in multiple servers. And you do not know and trust where the files are stored. So for better session handling and security I will advice you to use database to store and manage sessions for the following reasons.

  1. Only you have access to the session data.In shared hosting this can help you a lot.

  2. Each server will have its own directory where these session files are maintained, so if you are employing load balancing across multiple servers there is no guarantee that a request for an existing session will be given to the server which is maintaining the state for that session.

  3. It would be difficult for a site administrator to perform such queries as "how many sessions are currently active?" or "which users are currently logged in?".But if you are storing in the database then you can track.

  4. The application needs to be able to run on multiple servers without server affinity.

Here is a great article about storing sessions in database by Chris Shiflett.

Hope it helps.

Radheshyam Nayak
  • 1,038
  • 3
  • 11
  • 20
  • Storing sessions in a database on a cloud could get very expensive very quick. Also, those points are mainly for conventional load balancing. In cloud computing the web server instance should remain mostly stateless. When you upscale sessions will be created on new instances and deleted when you downscale which would lose all session data. More commonly file based sessions are stored on your block devices with your web files, this is being pushed to all instances and the load balancer will not need to be concerned with who started a session and where. – Steve Buzonas Apr 18 '12 at 23:06
0

I could be wrong, but most "cloud hosting" services, as in not a "VPS" service, is just shared hosting on a cloud server that the host scales up as needed.

The only time I find storing sessions in, say for example "/temp", secure, is when I'm the only the only person using the server.

Nexerus
  • 1,088
  • 7
  • 8