colinmollenhour
commented
3 years ago Interesting. If an attacker has access to the Redis server they can also just inject their own session to take over any user and the hashing wouldn't stop them from doing that so I think an attacker having Redis access means you are basically already fully compromised and therefore hashing the session id would just add one thin layer of obscurity.
When attacker gains partial access to server, it is really easy to steal all session ids with simple command:
From my view, it is wrong that the session_id is used as plain text as redis key. I would hash+salt the session_id for creating the redis key. If this would be applied, the attack described above would not be possible, because the only thing that you would get, would be hashes that cannot be used as cookie in browser. It protects the sessions even against on-purpose-privileged people, like server admins.
With the filesystem sessions, you can protect against such attack with setting file owner to root and disallow the webserver user to list the files inside the sessions directory (
chmod a-x sessions_dir). Switching to redis session is step down from security view as the session_ids are visible.