Re: register_globals - turning on

From: Gordon Burditt (gordonb.aoo7j_at_burditt.org)
Date: 07/16/04 

Date: 15 Jul 2004 22:00:41 GMT

>>>Firstly, I'm not too sure what exactly a .htaccess file is? Is it
>>
>>A .htaccess file is an Apache configuration file. *IF* you are
>>allowed to use one, you may put it in your web directory and it
>>affects all subdirectories under that directory, unless overridden
>>by a .htaccess file in a subdirectory. One thing a .htaccess file
>>can do is set per-directory options for PHP when it is run as
>>an Apache module (using it as a module is the standard setup).
>>
>>>just like an include file that each page references and loads the
>>>settings from?
>>>
>>>It suggests the following for the .htaccess file:
>>>
>>>php_flag register_globals off
>>
>>Turns register_globals off. Duh!
>>
>>>php_value session.save_path /home/user/siteroot/sess/users
>>
>>Sessions contain persistent data, and you have to have
>>some place to save this data. This specifies where.
>>/tmp is not a particularly secure place for it, especially
>>if you share the server with other people. The web server
>>user needs to be able to read and write files here.
>
>So basically using the .htaccess is a safe way of enabling sessions to
>work, without having to turn on resgister_globals.

No, the above .htaccess directive is a way of enabling sessions to
work without having to put an ini_set() call at the beginning of
each and every page to force the session save files to be put
into a safe place. Sessions work fine without register_globals.
Session files can be put in an insecure place WITH register_globals.
It's a separate issue.

>>>php_value session.gc_maxlifetime xxx
>>
>>How long to save data for sessions that go stale.
>>"gc" stands for "garbage collection" (of sessions).
>>
>>>php_value include_path .:/home/user/siteroot.com/sess
>>
>>Where to look for stuff included with "include".
>>
>>>php_value auto_prepend /home/user/siteroot.com/sess/path_file.php
>>
>>Stick this file on the beginning of every PHP page processed. (an
>>"automatic include"). It can, among other things, start up your
>>sessions.
>
>Do I stick that at the start of every single page or just the ones
>requiring users to be logged in to access?

No, you put that in the .htaccess file at the top of the tree
you want to have it affect. An alternative is to put
an
        include('/home/user/siteroot.com/sess/path_file.php');
at the beginning of each and every php page (or perhaps, each and
every php page where it's actually needed). This is a lot of work.

>>>I'm not too sure on what all the above does, except for the first
>>>line, so if you could break it down for me I'd be very grateful. The
>>>paths are a tad confusing as well. I'm not too sure how that would
>>>relate when I'm running locally, or if I'm with a host? I wouldn't
>>>know what if anything the paths would need changing to.
>>
>>The paths need to EXIST and point to disk space you can control.
>>In the case of session data, the web server needs to be able
>>to read and write files there. In the case of the include directory,
>>the web server needs to be able to read files there, and you
>>probably shouldn't let anyone else write on them.
>
>This include path. Is this just where you would put all the .inc
>files that contain the username, password and db connection info etc?

Yes. And possibly files that contain common functions and classes
also. Anything included by include or require might go here.
Whether you put it here or in the same directory as what included it
is a matter of style, and how many things need to include it.

Generally I prefer to put database passwords & such in an include
file OUTSIDE the document tree. If PHP is working, it will be used
and not show it. If PHP is NOT working (I've managed to break it
briefly while upgrading Apache or PHP), it's outside the document
tree so Apache won't show it as text while it doesn't recognize the
.php or .inc extension. Either way, your db password won't get
leaked. This technique does NOT, however, protect you against other
users of the same server.

>>>PS. If anyone watches the series Stargate SG-1 I am very much like the
>>>character O'Neil played by Richard Dean Anderson ex MacGyver fame. In
>>>the series he always gets lost with the technical scientific terms and
>>>needs things explaining more simply :)
>>
>>Can I have a sample of Naquadria?
>
>I don't think they've discovered any on this planet yet, though a lot
>of the stuff we have is just as bad. You can probably get some red
>mercury in a can of Coke if you visit one of the ex-Soviet countries.
>I heard they sell them for less than the original product it
>contained.

                                        Gordon L. Burditt