Website Security Questions

chickens · #1 02-07-2006, 01:29 PM

I have a couple of questions about e-commerce and security.

Questions specific to Hostgator:
Where are the session files kept? They don't seem to be in my /tmp folder, ever.
Where are my mysql databases stored? I can access them through phpmyadmin, of course.
Since I'm on a shared server, how is the ownership alotted? Is the webserver considered "nobody"? Can anyone else view my files?
(For instance, by doing
"ls /tmp/sess_*"
)Basically with these three questions I just want to make sure that they're hidden. There have been a couple times where Hostgator was in a process and I could temporarily view the names of other people's mysql databases...so I worry a bit about that.

What other security precautions (other than the following) should website owners take?

No session id in the address bar
Initialize all variables (though Global variables are off)
Validate all variables (for type, structure, content, etc)
Any include calls do not reference user input
Any mysql calls that reference user input check for malicious input
Submitted form processing checks for malicious input
All passwords and payment info is encrypted (in addition to the SSL) and stored in databases (separately) or sessions (not in cookies)
Check for changes in browser info during sessions

Questions about SSL:
What exactly is involved in an SSL certificate installation (which we'll be having Hostgator do). Do they add lines to my code? Add another file to my website? Actuall install programming?
Does my code just have to reference the "https" bit?

Thanks,
chickens

[edited to streamline]

Serra · #2 02-07-2006, 03:55 PM

Where are the session files kept? They don't seem to be in my /tmp folder, ever.

If you are using sessions, that is where they will be.

Where are my mysql databases stored? I can access them through phpmyadmin, of course.

Above the root of your site, you can't see them.

Since I'm on a shared server, how is the ownership alotted? Is the webserver considered "nobody"?

Yes, scripts run as nobody.

Can anyone else view my files?

Its a website... what do you think.

(For instance, by doing
"ls /tmp/sess_*"
)

No one has shell access on a shared server except support, so no ls.

Basically with these three questions I just want to make sure that they're hidden. There have been a couple times where Hostgator was in a process and I could temporarily view the names of other people's mysql databases...so I worry a bit about that.

That would be rare and I doubt it actually happened.

What other security precautions (other than the following) should website owners take?

Those should do.

Questions about SSL:
What exactly is involved in an SSL certificate installation (which we'll be having Hostgator do). Do they add lines to my code?

No, but you must not mix http and https, so no hard coded http lines in code that should be https, like for image files.

Add another file to my website?

No.

Actuall install programming?

No.

Does my code just have to reference the "https" bit?

Once you switch over to https, you don't need to do anything.

chickens · #3 02-08-2006, 01:55 PM

Serra - I appreciate your taking the time to help.
I figured that the ls command might be shell, (which I know Hostgator doesn't allow), but I wasn't sure.

When I could view tables or databases belonging to someone else, I didn't try to actually view data, but I could see the names. But it was very brief.

As far as sessions, even when I have one started I can't see it in my /tmp file, so I was thinking it was held in a higher file on the Hostgator tree, but it shouldn't matter either way, I suppose.

Thanks much,
chickens.

Serra · #4 02-08-2006, 09:49 PM

Quote:

Originally Posted by chickens

Serra - I appreciate your taking the time to help.
I figured that the ls command might be shell, (which I know Hostgator doesn't allow), but I wasn't sure.

When I could view tables or databases belonging to someone else, I didn't try to actually view data, but I could see the names. But it was very brief.

As far as sessions, even when I have one started I can't see it in my /tmp file, so I was thinking it was held in a higher file on the Hostgator tree, but it shouldn't matter either way, I suppose.

I know I can see session files in my tmp directory, but where they are doesn't really matter, you are correct.

chickens · #5 02-09-2006, 03:42 PM

I've been reading lately about sessions getting hijacked. Do you think it's worth it to put the session variables temporarily in a database table (accessed by the session id)? It doesn't seem like this would have much benefit..

Serra · #6 02-09-2006, 06:24 PM

Quote:

Originally Posted by chickens

I've been reading lately about sessions getting hijacked. Do you think it's worth it to put the session variables temporarily in a database table (accessed by the session id)? It doesn't seem like this would have much benefit..

Session hijacking is a problem, but if the session is stored in the tmp directory, it limits who and how they can steal it. Normally people on your own server.

There is a good way to prevent session hijacking, that is SSL. Its hard to hijack and SSL protected session.

The problem is that even with a database, you can't do anything. Lets say you store an IP address, username can crypted password in the session and then compare them with the same from the database. The session hijacker gets all those when they hijack the session so they spoof the IP and present the username and crypted password a they are in.

By not using cookies or putting sessions IDs in the URL, you can protect yourself, but their is no fool proof way (other than SSL).

If you want to cut down on possible hijacking, then verify the IP and browser type on each page. Insure the username and crypted password are in the password database as well. This will limit attackers, but not stop them.

Checkout: http://shiflett.org/articles/the-truth-about-sessions